Subscribe to our Newsletter | To Post On IoT Central, Click here


security (26)

Using Blockchain to Secure IoT

By Ahmed Banafa

IoT is creating new opportunities and providing a competitive advantage for businesses in current and new markets. It touches everything—not just the data, but how, when, where and why you collect it. The technologies that have created the Internet of Things aren’t changing the internet only, but rather change the things connected to the internet—the devices and gateways on the edge of the network that are now able to request a service or start an action without human intervention at many levels.

Because the generation and analysis of data are so essential to the IoT, consideration must be given to protecting data throughout its life cycle. Managing information at all levels is complex because data will flow across many administrative boundaries with different policies and intents.

Given the various technological and physical components that truly make up an IoT ecosystem, it is good to consider the IoT as a system-of-systems. The architecting of these systems that provide business value to organizations will often be a complex undertaking, as enterprise architects work to design integrated solutions that include edge devices, applications, transports, protocols, and analytics capabilities that make up a fully functioning IoT system. This complexity introduces challenges to keeping the IoT secure, and ensuring that a particular instance of the IoT cannot be used as a jumping off point to attack other enterprise information technology (IT) systems.

International Data Corporation (IDC) estimates that 90% of organizations that implement the IoT will suffer an IoT-based breach of back-end IT systems by the year 2017.

Challenges to Secure IoT Deployments

Regardless of the role, your business has within the Internet of Things ecosystem— device manufacturer, solution provider, cloud provider, systems integrator, or service provider—you need to know how to get the greatest benefit from this new technology that offers such highly diverse and rapidly changing opportunities.

Handling the enormous volume of existing and projected data is daunting. Managing the inevitable complexities of connecting to a seemingly unlimited list of devices is complicated. And the goal of turning the deluge of data into valuable actions seems impossible because of the many challenges. The existing security technologies will play a role in mitigating IoT risks but they are not enough. The goal is to get data securely to the right place, at the right time, in the right format; it’s easier said than done for many reasons.

Dealing with the challenges and threats

Gartner predicted that more than 20% of businesses will deploy security solutions for protecting their IoT devices and services by 2017, IoT devices and services will expand the surface area for cyber-attacks on businesses, by turning physical objects that used to be offline into online assets communicating with enterprise networks. Businesses will have to respond by broadening the scope of their security strategy to include these new online devices.

Businesses will have to tailor security to each IoT deployment according to the unique capabilities of the devices involved and the risks associated with the networks connected to those devices. BI Intelligence expects spending on solutions to secure IoT devices and systems to increase five fold over the next four years.

The optimum platform

Developing solutions for the Internet of Things requires unprecedented collaboration, coordination, and connectivity for each piece in the system, and throughout the system as a whole. All devices must work together and be integrated with all other devices, and all devices must communicate and interact seamlessly with connected systems and infrastructures in a secure way. It’s possible, but it can be expensive, time-consuming, and difficult unless the new line of thinking and a new approach to IoT security emerged away from the current centralized model.

The problem with the current centralized model

The current IoT ecosystems rely on centralized, brokered communication models, otherwise known as the server/client paradigm. All devices are identified, authenticated and connected through cloud servers that sport huge processing and storage capacities. The connection between devices will have to exclusively go through the internet, even if they happen to be a few feet apart.

While this model has connected generic computing devices for decades and will continue to support small-scale IoT networks as we see them today, it will not be able to respond to the growing needs of the huge IoT ecosystems of tomorrow.

Existing IoT solutions are expensive because of the high infrastructure and maintenance cost associated with centralized clouds, large server farms, and networking equipment. The sheer amount of communications that will have to be handled when IoT devices grow to the tens of billions will increase those costs substantially.

Even if the unprecedented economical and engineering challenges are overcome, cloud servers will remain a bottleneck and point of failure that can disrupt the entire network. This is especially important as more critical tasks

Moreover, the diversity of ownership of devices and their supporting cloud infrastructure makes machine-to-machine (M2M) communications difficult. There’s no single platform that connects all devices and no guarantee that cloud services offered by different manufacturers are interoperable and compatible.

Decentralizing IoT networks

A decentralized approach to IoT networking would solve many of the questions above. Adopting a standardized peer-to-peer communication model to process the hundreds of billions of transactions between devices will significantly reduce the costs associated with installing and maintaining large centralized data centers and will distribute computation and storage needs across the billions of devices that form IoT networks. This will prevent failure in any single node in a network from bringing the entire network to a halting collapse.

However, establishing peer-to-peer communications will present its own set of challenges, chief among them the issue of security. And as we all know, IoT security is much more than just about protecting sensitive data. The proposed solution will have to maintain privacy and security in huge IoT networks and offer some form of validation and consensus for transactions to prevent spoofing and theft.

To perform the functions of traditional IoT solutions without a centralized control, any decentralized approach must support three fundamental functions:

  • Peer-to-peer messaging
  • Distributed file sharing
  • Autonomous device coordination

 

The Blockchain approach

Blockchain, the “distributed ledger” technology that underpins bitcoin, has emerged as an object of intense interest in the tech industry and beyond. #Blockchain technology offers a way of recording transactions or any digital interaction in a way that is designed to be secure, transparent, highly resistant to outages, audit-able, and efficient; as such, it carries the possibility of disrupting industries and enabling new business models. The technology is young and changing very rapidly; widespread commercialization is still a few years off. Nonetheless, to avoid disruptive surprises or missed opportunities, strategists, planners, and decision makers across industries and business functions should pay heed now and begin to investigate applications of the technology.

What is Blockchain?

Blockchain is a database that maintains a continuously growing set of data records. It is distributed in nature, meaning that there is no master computer holding the entire chain. Rather, the participating nodes have a copy of the chain. It’s also ever-growing — data records are only added to the chain.

A blockchain consists of two types of elements:

  • Transactions are the actions created by the participants in the system.
  • Blocks record these transactions and make sure they are in the correct sequence and have not been tampered with. Blocks also record a time stamp when the transactions were added.

What are some advantages of Blockchain?

The big advantage of blockchain is that it’s public. Everyone participating can see the blocks and the transactions stored in them. This doesn’t mean everyone can see the actual content of your transaction, however; that’s protected by your private key.

A blockchain is decentralized, so there is no single authority that can approve the transactions or set specific rules to have transactions accepted. That means there’s a huge amount of trust involved since all the participants in the network have to reach a consensus to accept transactions.

Most importantly, it’s secure. The database can only be extended and previous records cannot be changed (at least, there’s a very high cost if someone wants to alter previous records).

 How does it work?

When someone wants to add a transaction to the chain, all the participants in the network will validate it. They do this by applying an algorithm to the transaction to verify its validity. What exactly is understood by “valid” is defined by the blockchain system and can differ between systems. Then it is up to a majority of the participants to agree that the transaction is valid.

A set of approved transactions is then bundled in a block, which gets sent to all the nodes in the network. They, in turn, validate the new block. Each successive block contains a hash, which is a unique fingerprint, of the previous block.

There are two main types of Blockchain:

  • In a public blockchain, everyone can read or write data. Some public blockchains limit the access to just reading or writing. Bitcoin, for example, uses an approach where anyone can write.
  • In a private blockchain, all the participants are known and trusted. This is useful when the blockchain is used between companies that belong to the same legal mother entity.

The Blockchain and IoT

Blockchain technology is the missing link to settle scalability, privacy, and reliability concerns in the Internet of Things. Blockchain technologies could perhaps be the silver bullet needed by the IoT industry. Blockchain technology can be used in tracking billions of connected devices, enable the processing of transactions and coordination between devices; allow for significant savings to IoT industry manufacturers. This decentralized approach would eliminate single points of failure, creating a more resilient ecosystem for devices to run on. The cryptographic algorithms used by blockchains would make consumer data more private.

The ledger is tamper-proof and cannot be manipulated by malicious actors because it doesn’t exist in any single location, and man-in-the-middle attacks cannot be staged because there is no single thread of communication that can be intercepted. Blockchain makes trustless, peer-to-peer messaging possible and has already proven its worth in the world of financial services through cryptocurrencies such as Bitcoin, providing guaranteed peer-to-peer payment services without the need for third-party brokers.

The decentralized, autonomous, and trustless capabilities of the blockchain make it an ideal component to become a fundamental element of IoT solutions. It is not a surprise that enterprise IoT technologies have quickly become one of the early adopters of blockchain technologies.

In an IoT network, the blockchain can keep an immutable record of the history of smart devices. This feature enables the autonomous functioning of smart devices without the need for centralized authority. As a result, the blockchain opens the door to a series of IoT scenarios that were remarkably difficult, or even impossible to implement without it.

By leveraging the blockchain, IoT solutions can enable secure, trustless messaging between devices in an IoT network. In this model, the blockchain will treat message exchanges between devices similar to financial transactions in a bitcoin network. To enable message exchanges, devices will leverage smart contracts which then model the agreement between the two parties.

In this scenario, we can sensor from afar, communicating directly with the irrigation system in order to control the flow of water based on conditions detected on the crops. Similarly, smart devices in an oil platform can exchange data to adjust functioning based on weather conditions.

Using the blockchain will enable true autonomous smart devices that can exchange data, or even execute financial transactions, without the need of a centralized broker. This type of autonomy is possible because the nodes in the blockchain network will verify the validity of the transaction without relying on a centralized authority.

In this scenario, we can envision smart devices in a manufacturing plant that can place orders for repairing some of its parts without the need of human or centralized intervention. Similarly, smart vehicles in a truck fleet will be able to provide a complete report of the most important parts needing replacement after arriving at a workshop.

One of the most exciting capabilities of the blockchain is the ability to maintain a duly decentralized, trusted ledger of all transactions occurring in a network. This capability is essential to enable the many compliances and regulatory requirements of industrial IoT applications without the need to rely on a centralized model.

 This article originally appeared here. Header photo has been modified, credit here.

References

http://www.cio.com/article/3027522/internet-of-things/beyond-bitcoin-can-the-blockchain-power-industrial-iot.html

http://dupress.com/articles/trends-blockchain-bitcoin-security-transparency/

https://techcrunch.com/2016/06/28/decentralizing-iot-networks-through-blockchain/

http://www.blockchaintechnologies.com/blockchain-internet-of-things-iot

https://postscapes.com/blockchains-and-the-internet-of-things/

http://www-935.ibm.com/services/multimedia/GBE03662USEN.pdf

Read more…

Securing the Internet of Everything

The introduction of connected devices is complicating an already incredibly complex security environment for infosec professionals. In just two decades, the enterprise has gone from a controlled scenario of one device per user to a situation in which users may have five or more devices connected to sensitive systems and applications. As the IoT becomes more popular it will soon be impossible to quantify just how many internet-enabled, vulnerable points exist within an organization. So what can companies do to secure the IoT?
Read more…

How to secure your smarthome gadgets

By Ben Dickson. This article originally appeared here.

The holiday season is a big time for consumer electronics and smarthome gadget sales. With so many advances and innovations that we saw in the Internet of Things in 2016, there’s a likely chance that one of those connected devices has found its way into your home, or that of one of your loved ones, this Christmas.

But while IoT devices make our homes more efficient, drive energy saving and reduce costs, you should also take note that IoT devices are a source of security headaches. A huge number of smarthome gadgets are developed without sound development practices and end up being used for evil purposes.

So if you don’t want your smarthome gadgets to be used to spy on you, hurt you in some other way, or be used in the next massive IoT DDoS attack, take a minute to read these guidelines. They will help you get the most out of what your IoT devices have to offer without suffering the privacy and security repercussions.

Install the latest updates

Seldom you see a software or hardware released without glitches or bugs. Many of these loopholes leave your devices open to attacks and exploits. That’s why developers and manufacturers regularly roll out updates and security fixes.

First of all, before installing your new device, do a little internet research for known vulnerabilities, and make sure that the manufacturer has released a patch for the bug (patches are announced and delivered on the manufacturer’s website).

Make sure that the manufacturer has a policy and good track record of delivering updates. If a manufacturer doesn’t deliver security patches, I would recommend returning the gadget back to where you bought it from.

In some cases, there are workarounds that can help you plug a security gap by disabling some of the features or changing settings, but do it with caution.

Last word on updates: Since smarthome gadgets are usually installed and forgotten, register your device for update notifications in case the manufacturer does have such an option. This way, you can make sure that you don’t miss any important updates.

Protect your network from IoT hacks

Per se, connected devices such as light bulbs and coffeemakers might not contain sensitive information or functionality, but their vulnerabilities can provide attackers with potential footholds into your home network, giving them a beachhead to conduct more critical attacks against your laptop or workstation.

The first thing you should do is to change factory default settings (e.g. administrative passwords) on your devices after installing them. This is critical as many attacks are conducted by scanning the web for devices for unchanged factory settings.

Also make sure you don’t reuse a password you’ve set on a critical email or social media account, unless you want a breach to propagate to unwanted domains.

If your device offers several different connection channels, disable the ones you’re not using, and always prefer wired connections over WiFi and other wireless mediums. This will minimize the attack surface. If the device is associated with a mobile app, review the privileges it requires (microphone, camera, GPS access, etc.) and only grant permissions if it is absolutely necessary.

If you’re going away for a long time (vacation, business trip, etc.), make sure to turn off unneeded devices or at least disconnect them from the internet.

Last word on network protection: If your home router has a guest network option, you can use it to isolate your IoT devices from your local network. This will prevent breached gadgets from giving attackers network access to your laptop and other devices containing personal and sensitive information.

Protect your IoT devices from hackers

In the previous step, we discussed how to prevent IoT vulnerabilities from harming your network. But you should also protect your smarthome gadgets themselves. Some devices such as smart thermostats can deal real damage if hacked, while nearly all compromised IoT devices can be used to raise botnets and stage widespread DDoS attacks.

Unfortunately, a considerable percentage of IoT devices lack proper defense measures (and will continue to miss them for some time to come), therefore the first order of business should be to set up a firewall.

Most home routers have firewall rules and settings that can be easily set up to block access through unused ports. This can help prevent access to devices that don’t let you turn off unwanted remote access features.

To add an extra measure of defense, use a Virtual Private Network (VPN) to encrypt your outgoing and incoming traffic. The advantages of using VPNs is twofold. First, it’ll make up for lack of encryption in IoT devices. And second, it can make it more challenging for eavesdroppers to deduce life patterns from analyzing network traffic metadata.

Last word on device protection: You might want to consider investing in a smarthome intrusion detector, a breed of devices that analyze your home network’s traffic and look for patterns of malicious activities.

Protect your privacy

Most home IoT devices silently collect data about your daily routines and habits and often send them over to the cloud. While this helps devices and their manufacturers to analyze patterns and deliver better services, it can also become the source of privacy controversies.

First of all, you should clearly know how your data is used and processed before you connect any new device to the internet. Review the vendor’s data collection and sharing policies and make sure it explicitly states whether your data will be shared with third parties or not. There should also be an opt-out option for users who don’t want to have their data collected.

Also, if your device has a microphone or camera component and you’re not using it, disable it outright, because they can lead to some of the worst kind of privacy troubles. If there’s no switch or feature to turn off the camera, cover it or turn it to face the wall.

Last word on privacy: If you decide to sell your device or give it away to someone else, reset it to factory default settings and wipe out any user data you might have stored on it.

Over to you

IoT is the future. But it shouldn’t cost you your privacy and security. Hopefully, with these tips, you’ll be better positioned to make good and safe use of your smarthome gadgets while avoiding the pitfalls and unwelcomed tradeoffs.

How do you vet and secure your devices? Share with us in the comments section.

Read more…

Securing IoT Consumer Devices

As consumer electronics manufacturers release new gadgets for the holidays, security is likely to be the last thing on people's minds. Devices like Apple’s HomeKit turn your iPhone or iPad into a remote control for lights, locks, the thermostat, window shades and even your doorbell, making typical iOS functions like Siri voice-based extensions of controlling a smart home.

Yet even if most electronics on a home network employ top security standards, all it takes is a faulty webcam for an attack to happen.

We just saw this with internet infrastructure company Dyn in late October. Mirai malware took advantage of default, easy-to-guess passwords on the webcams of unsuspecting consumers, leading to a massive Distributed Denial of Service (DDoS) attack temporarily shutting down popular sites like Twitter and PayPal.

Along with Apple’s Authentication Coprocessor, HomeKit’s end-to-end encryption helps mitigate the risk of hacking. The coprocessor only sends a certificate that allows an iOS device to unlock an accessory (like your home’s light dimmers, thermostat and power meter) after the accessory completes a challenge sent by the iOS device. Any Internet of Things device that connects to this network, however, may not have the same robustness rules in place.

According to the IoT graphic from Arxan below, the number of devices connected to the internet reached 6.4 billion in 2016. Thus, in-home communication network security is only half the battle for consumers, as the cars they drive are increasingly becoming connected as well. Car manufacturers have different OEMs when it comes to displays and in-vehicle digital storage, meaning that all devices in a connected car may not use end-to-end encryption. Code scanners can interrupt critical functions and if you look further into automotive IoT security you’ll find that many parts of a vehicle that have been around for years--like the OBD2 port for engine diagnostics and on-board computers--could potentially be decrypted and injected with malware.

 

 

Read more…

12 Steps to Stop the Next IoT Attack in its Tracks

The recent distributed denial-of-service (DDoS) IoT attack against DNS is a wake up call to how fragile the Internet can be.

The IoT attack against Domain Name Servers from a botnet of thousands of devices means it’s way past time to take IoT security seriously. The bad actors around the world who previously used PCs, servers and smartphones to carry out attacks have now set their sights on the growing tidal wave of IoT devices. It’s time for consumers and enterprises to protect themselves and others by locking down their devices, gateways and platforms. While staying secure is a never-ending journey, here’s a list of twelve actions you can take to get started:

  1. Change the default usernames and passwords on your IoT devices and edge gateways to something strong.
  2. Device telemetry connections must be outbound-only. Never listen for incoming commands or you’ll get hacked.
  3. Devices should support secure boot with cryptographically signed code by the manufacturer to ensure firmware is unaltered.
  4. Devices must have enough compute power and RAM to create a transport layer security (TLS) tunnel to secure data in transit.
  5. Use devices and edge gateways that include a Trusted Platform Module (TPM) chip to securely store keys, connection strings and passwords in hardware.
  6. IoT platforms must maintain a list of authorized devices, edge gateways, associated keys and expiration dates/times to authenticate each device.
  7. The telemetry ingestion component of IoT platforms must limit IP address ranges to just those used by managed devices and edge gateways.
  8. Since embedded IoT devices and edge gateways are only secure at a single point in time, IoT platforms must be able to remotely update their firmware to keep them secure.
  9. When telemetry arrives in an IoT platform, the queue, bus or storage where data comes to rest must be encrypted.
  10. Devices and edge gateways managed by an IoT platform must update/rotate their security access tokens prior to expiration.
  11. Field gateways in the fog layer must authenticate connected IoT devices, encrypt their data at rest and then authenticate with upstream IoT platforms.
  12. IoT platforms must authenticate each device sending telemetry and blacklist compromised devices to prevent attacks.

Keeping the various components that make up the IoT value chain secure requires constant vigilance. In addition to doing your part, it’s important to hold the vendors of the IoT devices, gateways and platforms accountable for delivering technology that’s secure today and in the future.

Read more…

Reddit is now at the center of this attack that impacts millions of top domains (most of the Internet) since November 30. While Reddit appears at first glance as the perpetrator, it is actually the victim. This "behind the scene" scheme run from Russia generates huge amounts of fake traffic - as much as 10% of the entire Internet traffic.

It is not caught by Google Analytics, and thus it results in phony web traffic statistic and flawed reports, which is the main issue people are complaining about. It is not mentioned in any media, as far as I know. The attack, even though massive, looks rudimentary. I will explain the details shortly. It is launched either by a hacker playing some old tricks to a new scale (probably in collusion with a few Russian ISPs), or by professional criminals testing some devices, doing a rehearsal, testing how far they can go before being detected, or trying to distract us from a far more nefarious but smaller scale attack taking place at the same time.

At this point, this ongoing attack is a nightmare mostly for web analysts, webmasters, and some data scientists, though any data scientist worth her grain of salt should be able to precisely identify the fake traffic, and thus correct the phony numbers. Such attacks occured in the past (from other countries), but this one is the biggest that I have ever seen. The user visiting the websites impacted by the fake traffic won't notice anything: it is happening behind the scene. It is not a DoS (denial of service). attack impacting a few domains with highly concentrated traffic to knock them down, but instead smaller traffic volumes (per targeted domain) impacting millions of websites. If it was 10 times bigger, I would imagine that many websites would go offline though. The perpetrator is clever enough to maintain his scheme alive (avoiding being blocked) by not hitting too hard. Or maybe he has reached his limit in terms of available bandwidth. 

How is Reddit involved?

The fake (non-human) clicks come with a fake referrer. Initially, on November 30, it started with lifehacĸer.com as if the traffic was coming from that domain, but indeed the traffic was manufactured with a robot, not real humans.In the last section, we show source code that can generate such fake traffic, faking both the browser and the referrer field, so that when the victim checks his web traffic statistics, the top referral is now a fake. Typically, hackers who plant fake referrer domains use their own domain, they use this scheme as a way to generate free traffic: if dozens of million of fake referrers are planted across millions of sites, you would expect many web analysts and webmasters to check out the referral domain that suddenly seems to be generating such a big proportion of their traffic. At least this is the way this scheme has been used in the past.

Note that in the case of lifehacĸer.com (the domain used by the fraudsters on November 30) the letter k is not actually k, instead it is a cyrillic character that looks very much like k. Compare the two versions: lifehacĸer.com (with a Cyrillic character) with lifehacker.com (with a k.) So the fraudster tried to leverage this confusion.

Starting on the second day, and still today, the domain being used changed from lifehacĸer.com to reddit.com. Indeed, the full URL planted in millions of web logs suddenly became

https://www.reddit.com/r/technology/comments/5foynf/lifehac%C4%B8er...,

as if Reddit suddenly started to spam the whole Internet. Yet the traffic still originated from the same Russian locations, using the same (possibly fake) browser Safari, version 9. Interestingly, the Reddit link in question is the only article (besides this very article) talking about the attack. So the hacker decided to plant fake Reddit referrers in web logfiles across the world. Doing so could get Reddit blacklisted by Google, as Google algorithms could think that Reddit is using black hat SEO tricks to boost its traffic, something that typically gets a website blocked on Google. If instead of Reddit, the hacker would plant fake referrers using thousands of various domains, he could get many websites blocked on Google. Is that the plan? Probably not. 

Why is this traffic not blocked? How to deal with this attack?

It will eventually be blocked, though it tends to adapt to blocking, and usually comes back in a slightly different form. It is not filtered out by Google Analytics, which means that the hacker, via the fake clicks, is able to trigger the Javascript code found on all web pages that use Google Analytics for tracking and analytic reporting purposes. Typically, Google Analytics filter out very little traffic, if any. It automatically (by design) filters out most robots, as robots typically do not trigger Javascript code found on webpages. But this one does, so the hacker must have gone the extra mile to add this feature to his web robot.

Are Alexa.com statistics also impacted by this robot? Alexa did not update its website rankings for several days, which is unusual. It did update the numbers on December 1, but now all the numbers are off. My guess is that this is not related to the lifehacĸer.com attack, but instead it is related to some changes in the way Alexa ranks websites, which coincidentally happened concurrently with the attack. For instance, Alexa could have added many subdomains to its list of websites, or using a different time frame (3 months rather than last 30 days) to compute the website ranks, explaining why so many websites now suddenly have a rank that is significantly worse.

It is easy to block the fake traffic at the web server (Apache) level, click here for details. And as always, the most robust traffic metric for your website is the number of new members, assuming you are able to detect and reject sign-ups from spammers and other undesirable people or robots. In this attack, no (fake) new members are being added. But the number of sessions, pageviews, and even (to a lesser extent) users, are impacted.

What are the hacker's motivations? Why is the attack so rudimentary? 

The attack is not carried out by a data scientist, or if it is, it must be by a very dumb one: it is so easy to identify the fake traffic, based on location, browser, and referrer. It is as if the attacker wants you to discover the fake traffic, and the extent of the attack, and he is smart enough to keep it going, avoiding blocking. He is probably not acting alone.

The hacker must have a database of millions of websites (the victims) with some indication of traffic volume for each website. Indeed, websites with lots of traffic are hit harder in terms of total number of fake clicks, but not so much in terms of proportion of fake traffic. Such lists of websites are easy to come by (I have my own based on years of web scraping) and some of them are even public. Quantcast used to publish such a list for the top one million websites, you can still find it here, but it is clearly outdated: many of the target websites (victims) that I checked were not on that list, despite their traffic volume. 

As for the motivations for doing this unusual attack, I don't know. It could be to prove that the attacker is smarter than Google Analytics (in some ways, he is.) Obviously, anyone carrying an attack must use the dumbest possible technique that will work, to avoid revealing advanced tricks to the people trying to catch or block you. If it works even though it is rudimentary, so be it, it is good news for the hacker. That said, there is some level of sophistication in it, but it is from a software rather than statistical engineering point of view. For instance, it must be deployed in some distributed environment to successfully generate so many clicks in so little time. But the algorithm that does that is actually a textbook example about how Map-Reduce works. From a statistical engineering point of you, you could not design something more dumb than that though. Yet, I imagine that the hacker will add a bit of statistical engineering in his next release. Or use a Botnet instead.

Interestingly, Ive found an article entitled A Russian Trump fan is celebrating by hacking Google Analytics, though this could just be another piece of fake news

Source code to plant fake referrers

The source code below is very basic: while it plants fake referrers, it does not trigger the Javascript code used by Google Analytics to track traffic. Click here for more details. It is also one of many different ways to achieve the same results -- and clearly the hacker did not use such a script here -- otherwise we would likely see tons of (fake, simulated) browsers associated with the attack, not just Safari version 9. 

#!/usr/bin/perl

use LWP::UserAgent;

$ua = LWP::UserAgent->new;
$ua->agent("Fake Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)");
$ua->timeout(2);
$ua->env_proxy;
$ua->max_size(64000);


# Create an HTTP request
my $req = HTTP::Request->new(GET => 'http://www.TheVictim.com');

$req->header(Accept => "text/html, */*;q=0.1", referer => 'http://www.FakeReferrer.com/');

# Pass request to the user agent and get a response back
my $res = $ua->request($req);

# Check the outcome of the response
if ($res->is_success) {
  print $res->content;
} else {
  print $res->status_line, "\n";
}

 

Reddit thread discussing the attack

Read more…

Bruce Schneier, cybersecurity expert, cryptologist

By Ben Dickson. This article originally appeared here. 

As if I haven’t said it a million times, IoT security is critical.

But just when I thought I had it all figured out, somebody comes along and sheds new light on this very important topic in a different way.

At a November 16 hearing held by the Congress Committee on Energy and Commerce in light of the devastating October 21 Dyn DDoS attack, famous cryptologist and computer security expert Bruce Schneier offered a new perspective on IoT security, which makes it easier for everyone to understand the criticality of the issue.

After watching it at least three times, I decided to share the main concepts with the readers of TechTalks. Here are the key takeaways, which I’ve taken the pain to elaborate on.

Everything is now a computer

“Everything is now a computer,” Schneier said at the beginning of his remarks, after which he gave examples about how our phones, refrigerators, ATM machines and cars have in essence become computers that perform functions in the physical world.

“And this is the Internet of Things, and this is what caused the DDoS attack we’re talking about,” he continued.

IoT devices are much more different from objects with a little silicon and electronics baked in. We’re talking about devices that are sometimes running fully functional operating systems and are enjoying broadband internet connections.

And as we all know, computers are smart—but they’re also hackable.

So what it comes down to is that soon, everything around you, from your toaster to your lawn mowing machine, fridge, light bulb and door lock can be hacked and used directly (against you) or indirectly (against others) for evil purposes.

And then Schneier went on to “give four truths” from the world of computer security—which he extended to “everything security”—that apply to everything.

Attack is easier than defense

This was Schneier’s first premise. As the saying goes in cybersecurity jargon “cybersecurity experts have to win every battle. Hackers only have to win once.”

But it was his next phrase that said it all.

“Complexity is the worse enemy of security,” he said. “And this is especially true for computers and the internet.”

Attackers find methods to use software and operating systems in malicious ways that were never imagined by their developers. This is partly due to security flaws found in the source code or the simple fact that the basic functionalities embedded in those software can be combined in innumerable ways.

Even highly secure operating systems such as the Apple iOS tend to spit out vulnerabilities every once in a while.

So said in another way, you have to plug every security hole—hackers only have to find one.

Interconnections introduce new vulnerabilities

This is an extension of the complexity concept.

“The more we connect things to each other,” Schneier said, “the more vulnerabilities in one thing affect other things.”

And he went on to give accounts of some of the cyberattacks that made their fame in recent years, including the Target hack, and of course the Dyn attack, in which the hackers exploited vulnerabilities in several systems to stage their attack.

“Vulnerabilities like this are hard to fix because no one system might be at fault,” Schneier explained.

In many cases a flaw in one system might not be critical per se, but when that system or component is combined or connected to another one, the same vulnerability might open up new ways to cause harm.

Many IoT manufacturers embed third party components into their products that are inherently insecure, and they don’t even know about it. I know of at least one Chinese company that was offering vulnerable white label DVRs and components to other companies, whose products were involved in the Dyn DDoS attack. Good luck recovering all those tens of thousands of devices.

And we’re entering a world where abstraction is playing an increasingly important role in creating software and hardware. Blackbox systems connect over the internet and allow access to their data and functionality without having full knowledge of their vulnerabilities.

The internet empowers attackers

“The internet is a massive tool for making things efficient,” Schneier said, “and that’s also true for attacking. The internet allows attacks to scale to a degree that’s impossible otherwise”

The Internet of Things has taken that scaling power to the next level. It was true for the Dyn attack, as well as a host of other recent DDoS attacks that were based on IoT botnets.

In terms of efficiency, Schneier underlined the fact that hackers have an easier time sharing their knowledge and experience thanks to the internet. The source code for the Mirai botnet, which was used to stage the Dyn attack, has been released and is now available for all to use.

And for those who don’t have the knowledge to make use of the source code and create their own IoT botnet, they can rent one at an affordable price. “I don’t recommend it,” Schneier said.

The for-rent cybercrime business model is gaining traction. Recently, hackers put up a ransomware-as-a-service platform to allow wannabe hackers to cash-in on cyber extortion.

“This is more dangerous as our systems get more critical,” Schneier said next. “The Internet of Things affects the world in a direct and physical manner.”

This is something that I’ve been saying a lot. It’s one thing to lose access to your favorite website, lose online documents or even have your most intimate secrets doxed. But it’s another thing altogether where your very life and health are concerned and can becompromised from thousands of miles away.

And that’s what the Internet of Insecure Things is leading us.

Schneier: “There’s real risk to life and property. There’s real catastrophic risks.”

The economics don’t trickle down

“Our computers are secure for a bunch of reasons,” Schneier said—and that’s relatively speaking (my own comment). “But it doesn’t happen for these cheaper devices.”

There are many reasons that IoT devices are created with less security. Schneier named a few:

  • Low profit margins: Manufacturers are doing their best to lower the costs, and therefore pack the devices with cheaper and less secure components, and firmware and low-end operating systems that can’t run security software.
  • IoT devices are offshore: Many devices are treated in an install-and-forget manner. How many times do you check the logs for your thermostat? Also, no sane person leaves their desktop computer or smartphone in an unprotected environment. But IoT devices are made to be installed in the open and left unattended. And yet in many cases, these same devices sport storage and computation capabilities that rival those of mobile and desktop computers, to say nothing of their broadband internet connections.
  • No dedicated security teams: Many of the manufacturing companies don’t allocate resources and funds to securing their devices, because as some will honestly admit, “Consumers don’t pay for security. They pay for functionality.” And vetting code and hardware for security can be costly. Also, we’re in the “Gold Rush” phase of the IoT industry’s development, where every new kid on the block is in a hurry to ship a connected device to the market before their competitors do, so naturally, things such as security take a backstage seat.
  • Devices can’t be patched: Desktop and mobile operating systems are regularly updated and patched to fix security holes. The same can’t be said about IoT devices. In many cases, the mechanism is nonexistent, while in others, it’s so arduous that consumer will simply forego applying them. And let’s not forget that these are install-and-forget products. And as Schneir reminded in his remarks, many of these “things” such as fridges and cars will not be replaced for a long time—some, never. This means they’ll remain vulnerable for the rest of their lives, causing potential damage to their owners and others.

What needs to be done?

“The government has to get involved,” Schneier said. “What I need are some good regulations.”

I agree, but I would also extend the point and say “Everyone has to get involved,” and that includes manufacturers, who should get serious about securing their devices, or suffer the consequences. It also concerns ISPs, who should do more to spot and block botnet traffic. And consumers should become more savvy on cybersecurity in general and demand more security from manufacturers.

But of course, the government has to play a regulatory role that will ensure implementation.

“For the first time, the internet affects the world in a direct, physical manner,” Schneier said. “When it didn’t matter—when it was Facebook, when it was Twitter, when it was email—it was OK to let programmers, to give them the special right to code the world as they saw fit. We were able to do that. But now that it’s the world of dangerous things… maybe we can’t do that anymore.”

I liked that phrase, and I think we ought take it seriously.

Watch the full hearing here:

Read more…

IoT Central Digest, November 1, 2016

Well October was definitely a scary month for IoT. In this edition our newsletter revisits the security issues that hacked their way into IoT last month. If you haven't been paying attention, or are looking for different points of view, you'll want to read the pieces below from our members and contributors. Lets hope for a more secure and sane month of November.

Also, a reminder, this Thursday, November 3, 2016, join me, John Myers of Enterprise Management Associates and Dan Graham of Teradata where we look at what people REALLY do with the Internet of Things and Big Data? Registration information is here.

If you're interested in being featured, we always welcome your contributions on all things IoT Infrastructure, IoT Application Development, IoT Data and IoT Security, and more. All members can post on IoT Central. Consider contributing today. Our guidelines are here.

The Internet of Evil Things

Guest post by Joe Barkai 

You may have heard me at a conference or read my response to questions concerning the security of the Internet of Things. When asked, I sometimes “refuse” to answer this question. This is not because I do not think that data security—and the closely-related data privacy—are not important; of course they are.  But I want to highlight the point that data security and privacy are foundational issues that are not unique to IoT devices. Every enterprise must ensure that all data—IoT generated or not—is secured and that data privacy and ownership are handled properly.

Do not stop asking for security in IoT

Posted by Francisco Maroto

Almost three years ago, I wrote in my IoT blog  the posts “Are you prepared to answer M2M/IoT security questions of your customers ?. and “There is no consensus how best to implement security in IoT” given the importance that Security has to fulfil the promise of the Internet of Things (IoT). And during this time I have been sharing my opinion about the key role of IoT Security with other international experts in articles “What is the danger of taking M2M communications to the Internet of Things?, and events (Cycon , IoT Global Innovation Forum 2016).

Hacking a Home Can Be Easier Using IoT - Is Your Smartphone Safe?

Posted by Mike Davidson  

Internet of Things has raised concerns over safety. Nowadays, it is possible to control your home using your Smartphone. In the coming years, mobile devices will work as a remote control to operate all the things in your house.   Some devices display one or several vulnerabilities that can be exploited by the hackers to infiltrate them and the whole network of the connected home.

How insecurity is damaging the IoT industry

Guest post by Ben Dickson

The Internet of Things (IoT) is often hyped as the next industrial revolution—and it’s not an overstatement. Its use cases are still being discovered and it has the potential to change life and business as we know it today. But as much as IoT is disruptive, it can also be destructive, and never has this reality been felt as we’re feeling it today. On Friday, a huge DDoS attack against Dyn DNS servers led to the majority of internet users in the U.S. east coast being shut off from major websites such as Twitter, Amazon, Spotify, Netflix and PayPal.

IOT Security Trends// Is the Online World More Dangerous ??

Posted by Bill McCabe 

Security threats are the biggest concern among the main concerns on the Internet of Things. Due to its very nature, it is a target of interest for those who want to commit either industrial or national espionage. By hacking into these systems and putting them under a denial of service, or other attacks, an entire network of systems can be taken out. This has caused cyber criminals to become very interested in the IoT and the possibilities that surround its misuse.

Report: List of Top 10 Internet of Radios Vulnerabilities

Posted by David Oro

The IoT has a big security problem. We've discussed it herehere and here. Adding to these woes is a new report on the Top 10 Internet of Radios Vulnerabilities. Yes, radios...because IoT so much more than data, networking, software, analytics devices, platforms, etc. When you're not hardwired, radio is the only thing keeping you connected.

5 Steps to Creating a Secure Smart Home

Posted by Ryan Ayers 

First came smartphones, equipped with the ability to set alarms and calendar notifications, reminders, and other convenient apps and services to make our lives easier. Taking that a step further are “smart homes” or automated homes, which allow users to remotely control devices in the home such as lights, televisions, and even toilets and water pumps, using a smartphone or computer. Aside from remote control, however, smart systems in homes can also help make the home more adaptable. For example, Nest is a smart system that learns the home’s inhabitants’ schedules and preferences to heat or cool the house for maximum efficiency and comfort. Sounds great, right? Many people think so, which is why the industry is projected to keep growing quickly from 48 billion in 2012 to an estimated $115 billion by 2019

How the IoT industry will self-regulate its security

Guest post by Ben Dickson

Following last week’s DDoS attack against Dyn, which was carried out through a huge IoT botnet, there’s a general sense of worry about IoT security—or rather insecurity—destabilizing the internet or bringing it to a total collapse.

All sorts of apocalyptic and dystopian scenarios are being spinned out by different writers (including myself) about how IoT security is running out of hand and turning into an uncontrollable problem. There are fears that DDoS attacks will continue to rise in number and magnitude; large portions of internet-connected devices will fall within the control of APT and hacker groups, and they will censor what suits them and bring down sites that are against their interests. The internet will lose its fundamental value. We will recede to the dark ages of pre-internet.

Additional Links

Follow us on Twitter | Join our LinkedIn group | Members Only | For Bloggers | Subscribe

Read more…

How the IoT industry will self-regulate its security

iot security

Guest post by Ben Dickson. This article originally appeared here.

Following last week’s DDoS attack against Dyn, which was carried out through a huge IoT botnet, there’s a general sense of worry about IoT security—or rather insecurity—destabilizing the internet or bringing it to a total collapse.

All sorts of apocalyptic and dystopian scenarios are being spinned out by different writers (including myself) about how IoT security is running out of hand and turning into an uncontrollable problem. There are fears that DDoS attacks will continue to rise in number and magnitude; large portions of internet-connected devices will fall within the control of APT and hacker groups, and they will censor what suits them and bring down sites that are against their interests. The internet will lose its fundamental value. We will recede to the dark ages of pre-internet.

That might be stretching it a bit, but the idea is that at the moment, IoT botnets are one of the biggest threats to internet stability, and there seems to be no stopping their growth because neither manufacturers nor consumers are concerned with IoT security, and as a result millions of new vulnerable devices are plugged into the internet every day, providing botlords with fresh new conscripts for their zombie armies.

But the silver lining in the entire Dyn episode is that it has served as a wakeup call for companies developing IoT solutions. Shortly after the attack, news broke that hacked products belonging to a certain Chinese electronics component manufacturer were the main culprit behind the Mirai botnet that launched the attack.

The company was forced to recall its products in order to patch them or replace them, which is pretty challenging because it develops and sells white-label products, which means many of its customers might not even know they are using its components. And there will always be some residual damage, as it’s virtually impossible to recall all devices, which means some will still roam across the internet with old vulnerabilities remaining.

Aside from the financial damage and the costs incurred from the recall and replacement, the company has suffered a huge blow to its reputation, and will have to try hard to regain the lost trust of its current and future customers.

This will serve as a warning to other companies that are in a hurry to avoid missing their share of a market slated to grow multi-trillion dollars in the next years, and are shipping out products without testing and vetting them for proper security and reliability. They will finally come to realize that it is within their long term interests to include security as part of the development process, rather than approaching it as an afterthought and focusing on the fast shipment of their products.

Many companies don’t even have the in-house expertise and knowhow of dealing with security issues in connected environments. They’ll have to either acquire the talent or outsource their security procedures. But it’s not something they can do without if they wish to survive the trials that await them.

They will also become more wary of the third party components they integrate into their products. As a result, component makers—like the one that was exposed after the Dyn attack—will also have to be more careful about what they’re selling to their customers.

And they’ll have to provision for the day security flaws surface in their products. Many IoT devices don’t have any means for updates and patch installation. In order to avoid the time-consuming and costly process of recalling products, manufacturers will have to embed over-the-air and online updating mechanisms, which will also make it easier for consumers to keep their devices up to date with the latest patches.

The overall result will likely be a slowdown of the IoT gold rush, which is a good thing. Newcomers as well as veterans will have more time to think meticulously on the design of their products and put more energy into securing their devices and preparing them for future developments and changes. Improved resilience and flexibility will be a positive byproduct of the process.

All in all, although the Friday’s attack was painful, it will help mature the IoT industry. From now on, manufacturers will either have to bake-in security into their products, or will have to wait for a security disaster to force them to either go out of business or fix their mess. Any rational mind will choose the former.

So things are not as bad as they seem. This is what I call the self-regulation of the IoT industry. Wonderful, isn’t it?

FEATURED IMAGE: SAVASYLAN/SHUTTERSTOCK

Read more…

The Internet of Evil Things

The Seventh Seal (1957)

Guest post by Joe Barkai. Original story appeared here

How Secure is the Internet of Things?

You may have heard me at a conference or read my response to questions concerning the security of the Internet of Things. When asked, I sometimes “refuse” to answer this question. This is not because I do not think that data security—and the closely-related data privacy—are not important; of course they are.  But I want to highlight the point that data security and privacy are foundational issues that are not unique to IoT devices. Every enterprise must ensure that all data—IoT generated or not—is secured and that data privacy and ownership are handled properly.

But in light of the recent highly-publicized cyberattacks, and a session with Chris Valasek (who is best known for wirelessly hacking a Jeep wrangler) and Mark Weatherford (past deputy Undersecretary for Cybersecurity at the U.S. Department of Homeland Security), I thought I should provide a brief update.

CCTV Bots Attack the Internet

On October 21, a massive, highly-distributed cyberattack, involving millions of IP addresses and a malicious software, crippled web servers across the U.S., temporarily shutting down DNS services and rendering major Internet sites inaccessible.

Distributed denial-of-service (DDoS) are not new. But according to web security firm Sucury, this was the first time it had observed an attack powered solely by hacked CCTV devices. The company discovered attackers have compromised more than 25,000 digital video recorders and CCTV cameras, and are using them to launch DDoS attacks against websites.

Taxonomy of IoT Devices

Internet-connected devices, such as the CCTV devices involved in the DDoS cyberattack, are getting cheaper and more powerful. This trend inspires conceptual architectures that place smart, connected devices at the edge of the IoT network.

There are some perfectly good arguments as to why sophisticated devices with autonomous decision authority should reside at the edge of the network. For instance, moving decision-making devices closer to the industrial processes they control improves real-time control and reduces network traffic and information latency.

On the other hand, there are also equally convincing rationales to consider the use of less sophisticated and less autonomous edge devices.

First, devices that do not need to perform complex computational tasks are simpler and cheaper, consume less power, and are less prone to failures. And because of their low computation bandwidth and limited command and control reach, these devices are far less prone to hacking.

Much more importantly, however, many business decisions should not and cannot be performed at the edge device level. While command and control of a single machine can be done locally and autonomously, the type of deep insight that drives predictive analytics and long-term decisions is based on multiple inputs from the broader IoT and business network: multiple machines, multiple production lines, and in multiple locales. These types of analyses and decisions can only be carried out centrally.

There is no single “ideal” architectural. The power of the Internet of Things is in the ability to form a flexible decision-making architecture, and to move analytics and decision making as needed between edge devices (for example, for real-time control), and centralized cloud applications such as fleet optimization.

In my book The Outcome Economy: How the Industrial Internet of Things is Transforming Every Business, I propose a taxonomy of IoT devices, which can serve to determine the level of decision-authority that should be given to different edge devices.  The following is a shorter version of this taxonomy description.

Activity-Aware Devices

The basic building blocks of the Industrial IoT are single-task devices such as sensors, pumps, valves, and motors. These devices can measure and send discrete pieces of information (a sensor) or respond to a simple on/off command (a pump, a valve, or a motor).

An activity-aware object “understands” the physical world in terms of event and activity streams, where each event or activity is directly related to the task the object is to perform: turn on, measure, etc.

The operating model of activity-aware devices is typically a simple linear sequence of data collection and processing functions, such as a time or state series. These devices primarily measure and log data, but do not provide interactive, analytic, or self-governance capabilities.

Policy-Aware Devices

A policy-aware device is an activity-aware object with an embedded policy model. A policy-aware device can sense and interpret events and activities and respond to them based on predefined operational and organizational policies.

The governance model of policy-aware devices consists of application-specific policies expressed as a set of rules that operate on event and activity streams to create actions. The model provides context-sensitive information about event handling and work-activity performance. In particular, it can issue warnings and alerts if it’s unable to comply with the policy or the operating model.

Many industrial devices, even simple ones, are policy-aware devices. For example, a thermostat in a cold-chain application is commanded to maintain a certain ambient temperature range. In other words, the thermostat has an autonomous decision-making capability to enable it to comply with the policy. An air-conditioning unit and an alarm system are other examples of policy-aware devices.

Process-Aware Devices

A process is a collection of related activities that are sequenced in time and space to accomplish a task or a combination of tasks. Process execution rules can be included for dynamic recombination of activities to support a broader range of interrelated activities, tasks, and sub-tasks, and have greater event-handling agility and decision capacity.

A process-aware device is aware of and “understands” the organizational processes that it is a part of. Moreover, it is also aware of other devices in its subnetwork operating in tandem to implement the process and can relate the occurrence of real-world activities and events of these processes to the user.

Cold-chain logistics, process automation and control, robots, and manufacturing execution systems (MES) are examples of process-aware applications.

The application model of process-aware objects is built around a dynamic context-aware workflow model that defines timing and ordering of work activities. Work processes (that is, sequence and timing of activities and events) communicate with others to accomplish predefined, high-level tasks.

Not Everything Than Can Be Connected, Should Be

Every industry survey stresses security concerns as one of the top hurdles in the way of broad adoption, and the publicity of IoT-generated DDoS attacks, which impacted both businesses and individuals, will further erode the confidence of consumers and corporations alike. There’s probably very little damage in curbing the enthusiasm of those that marvel the vision of connected refrigerators and toasters, but the participants in the Industrial IoT and the connected infrastructure overall, should intensify the conversation about standardization, certification and registration, and the delicate balance between enforcement and enticement.

These conversations are critical, but, as stated before, are not limited in scope to the Internet of Things.

While we work to encourage the use of standards, best practices, and better technology, let’s remember that not everything than can be connected, should be.  Let’s focus on valuable scenarios rather than the digital chatting between coffee pots and toasters.

(Portions of this articles are from The Outcome Economy: How the Industrial Internet of Things is Transforming Every Business)

Read more…

How insecurity is damaging the IoT industry

internet of things

Guest post by Ben Dickson. This story originally appeared here

The Internet of Things (IoT) is often hyped as the next industrial revolution—and it’s not an overstatement. Its use cases are still being discovered and it has the potential to change life and business as we know it today. But as much as IoT is disruptive, it can also be destructive, and never has this reality been felt as we’re feeling it today.

On Friday, a huge DDoS attack against Dyn DNS servers led to the majority of internet users in the U.S. east coast being shut off from major websites such as Twitter, Amazon, Spotify, Netflix and PayPal.

The culprit behind the attack was a huge botnet. Botnets are armies of zombie computers, vulnerable devices secretly compromised by hackers, which are silently doing the bidding of their masters, the botlords, without their true owners knowing about it.

While botnets and DDoS attacks are nothing new and have been around for a while, the advent and propagation of IoT devices has led to their chaotic growth. There are now millions of vulnerable IoT devices that are easier to access and even easier to hack than, say, computers and tablets that are packed with anti-virus software. That’s why IoT botnets are fast becoming a favorite for bot herders and a real threat for the cybersecurity industry. Put in another way, they are democratizing censorship by enabling any hacker with minimal resources to launch government-level DDoS attacks and bring down sites they don’t like.

This is sad news for the IoT industry. It is now evident more than ever that the IoT industry is in a mess, and it’s going to take more than individual efforts to fix it.

The problem, as I see it, is that all the parties that are directly—or indirectly—involved are either ignorant about security issues or have other priorities.

For their part, manufacturers are too focused on shipping feature-complete devices rather than creating secure and reliable products. After all, the IoT industry is in its gold rush era, and everyone is in a hurry to climb the bandwagon and grab a larger piece of the pie.

And that’s how security concerns take a backseat row in IoT development while timing and costs become prominent.

But why are the manufacturers getting away with their incompetence at securing IoT devices? Because others—namely consumers—couldn’t care less. As the manufacturers will tell you, customers don’t buy security, they buy functionality. They want something that works in an install-and-forget model and don’t want to be pestered with security procedures and practices such as password resets and software updates—and costs for things they can’t directly see with their eyes.

As for governments, they’re concerned about the security of IoT, but they’re not doing enough to regulate it and compel companies to vet their products for security and resilience against attack. The only novel and honest efforts we’ve seen so far include initiatives such as the IoT Security Foundation, but there’s only so much a single organization can do when it’s dealing with billions of potentially vulnerable devices and deaf ears that won’t listen to the voice of reason.

And here we are, almost on the brink of IoT devices outnumbering humans, and already devices of our own making are being used to deny us access to our most vital services and needs.

Friday’s spate of IoT-powered DDoS attacks should serve as a wake-up call, not only for IoT manufacturers, adopters and consumers, but for everyone. Many of the people who were affected by the attacks didn’t even know what IoT is.

So whether you care about IoT or not, it’s in your interest to see it secured.

And as much as I love IoT, I’m sad to see the industry destroying itself.

So what’s the solution? I like the thoughts shared by Bruce Schneier in this Vice Motherboard article, and I’d like to build on those to raise the following points, very concisely:

  • Manufacturers should make security an inherent part of their development cycle. Security shouldn’t come as an afterthought but as an integral part of building any IoT or other connected device. And I’ve said this a million times.
  • Consumers should take their own security more seriously. Our lives are becoming more connected than before. Internet services and resources are more vital to our daily tasks than any other time in history. So we should be more vigilant about the integrity of the devices that are being connected to the internet and hold their manufacturers to account for the security shortcomings. (Security developer Edward Robles has shared some interesting thoughts on how we should change our mindsets toward security in this guest post.)
  • Governments must play a more active role in regulating and controlling IoT security. Standards must be set to make sure every single device that is shipped to the market and connected to the internet complies with a set of security standards and punish organizations that do not abide by the rules.

Of course, no single government can control the security of all the devices being connected to the internet. I’m thinking about a solution based on blockchain technology that will create a global answer to vetting IoT devices for security. I’ll write about it in the future.

What’s urgent is to have a concerted and unified effort to fix the messy state of IoT security. Today, we’re dealing with DDoS attack. Tomorrow, it could be something worse.

There’s no putting the genie back in the bottle. For better or for worse, IoT will transform our future. Let’s work together to make sure it’s going to be the former and not the latter.

How do you think we should deal with IoT security problems? Share in the comments section.

Read more…

5 Steps to Creating a Secure Smart Home

First came smartphones, equipped with the ability to set alarms and calendar notifications, reminders, and other convenient apps and services to make our lives easier. Taking that a step further are “smart homes” or automated homes, which allow users to remotely control devices in the home such as lights, televisions, and even toilets and water pumps, using a smartphone or computer. Aside from remote control, however, smart systems in homes can also help make the home more adaptable. For example, Nest is a smart system that learns the home’s inhabitants’ schedules and preferences to heat or cool the house for maximum efficiency and comfort. Sounds great, right? Many people think so, which is why the industry is projected to keep growing quickly from 48 billion in 2012 to an estimated $115 billion by 2019

Smart homes are among the first steps toward mass adoption of the Internet of Things (electronic devices connected to both the Internet and to each other for data collection and sharing), but there are some major security concerns involved with their implementation. Kashmir Hill, a writer for Forbes, revealed that she was able to access 8 smart home systems simply by searching for a list of the homes on Google. The company that had set up these homes did not require a username or password, allowing Hill to start monkeying with the homes’ lights and other devices at once. After alerting the owners to the real security risks implicated by these readily-available controls, Hill did some more research on the security of smart homes—and found out that precautions had been less than stellar in protecting homes from cybercrime.

The Threat of Cybercrime

Neglecting to add password protection and allowing the controls to show up in search engines were a combination of user and company error, but Insteon, which installed these systems, hasn’t improved their systems that much. Security professionals revealed it would be easy to hack the passwords, making homes vulnerable to cybercrime. Security issues are a major worldwide problem, with 80-90 million cybersecurity events per year, 70% of which go undetected. Because attacks on smart homes leave families vulnerable to both identity theft and physical intrusion, a solid cybersecurity system is an absolute must. Here are 5 tips for creating a secure smart home and avoiding breaches.

1. Choose the Right Company

As security experts discovered, thwarting hackers isn’t at the top of many companies’ to-do list when putting out smart home systems. As a consumer, it’s important to shop around and ask questions about the systems’ security to ensure adequate measures have been taken to make sure it’s difficult for hackers to access the homes’ devices. Ask about password protection, encryption use, and how data is collected, used, and stored.

2. Set Up Basic Security

As a smart home owner, you’ll need to be sure that your devices can’t be accessed by strangers with ease. Take a look at the credentials required for each app and portal that can access your devices, and change any default PIN numbers and passwords to reduce the chance that an unauthorized person could access your data. Ensuring your security configurations are correct is essential to a strong smart home security system. Finally, firewall and anti-virus software will help keep your home safe. Your WiFi security should be strong as well, though it’s a myth that smart devices can only be access on the home’s WiFi systems. 

3. Use Biometrics and Wearables

Biometrics are extremely helpful in creating strong security systems. Fingerprint scanning, facial or voice recognition, and even heart rate variability from wearable smart devices can help to enhance security and ensure that no one but the main user has access to systems and devices unless granted permission. 

4. Keep Smart Devices Updated

Updating computer systems can be a pain, but not keeping up with these security updates can leave devices vulnerable to attack. Keep all your devices up to date, including both your homes’ devices, and the devices you use to control them. 

5. Install Alerts 

There are applications available that can alert users if there has been an unauthorized attempt to access a connected device. It’s a good idea to install one of these apps (choosing an option that will allow alerts to be accepted or declined when triggered) to help monitor the activity on your smart home system. 

An Exciting Development 

As the technology advances, smart homes will become more and more useful to their inhabitants, providing personalization and reminders that can enhance everyday life. However, security risks involved with these systems are ever-present, and careful precautions should be taken to avoid attacks. Don’t be a victim of theft—consider cybersecurity carefully when updating your home.  

Read more…

Over on MotherBoard, noted cryptographer, computer security and privacy specialist, and writer, Bruce Schneier pens his thoughts on the recent gaping holes in security for Internet connected devices. When Bruce speaks, people listen. 

First, if you haven't been following the recent DDoS attacks using IoT devices, read this. In short, IoT devices have been comprised to attack networks. 

It's so bad that Bruce is calling out the IoT market for failing to secure their devices and machines that connect to the Internet and is asking for government intervention.

He writes:

What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own.

He continues that security has been built into many our computers and smartphones because there is money to invest in security, the same can't be said for low margin embedded systems like digital video recorders or home routers. Security is not their expertise. Even worse, he adds, most of these devices don't have any way to be patched.

He argues the market can't fix this because neither the buyer nor the seller cares. Government must step in and solve the problem says, Schneier.

What do you think?

Full article on Motherboard here

 

Read more…

Image: Lorenzo Franceschi-Bicchierai/Vice Motherboard

By Ben Dickson. This article originally appeared here

At the recent Def Con hacking conference in Las Vegas, two researchers from cybersecurity firm Pen Test Partners showed that they could inflict your smart thermostat with ransomware from hundreds of miles away, and force you to fork over cash (usually bitcoins) before you could regain control of the appliance.

Ransomware has been around for a while. It’s a breed of malware that locks down access to your files by encrypting them and sells you the decryption key that will give you back access to the files. IoT ransomware is relatively new. However, this isn’t the first time that the topic of IoT ransomware has been brought up by cybersecurity experts. Experts from Symantec presented a research on ransomware for wearables (aka “ransomwear”) last year at the Black Hat conference. The issue was also raised by experts at the Institute for Critical Technology (ICIT), specifically in regards to healthcare IoT.

Unfortunately, though, IoT ransomware isn’t being given enough attention, or not being looked at from the right perspective, which can lead to its underestimation and disastrous outcomes that could result not only in financial losses, but in loss of life as well.

Why is IoT ransomware being underrated?

The fact that IoT ransomware is not being given enough attention stems from the fact that it is being perceived in the same light as traditional ransomware.

However there are two key differences.

The classic ransomware model owes its success to its irreversibleness. When your PC, laptop or smartphone becomes inflicted with ransomware, your valuable files are encrypted and the only thing that can give you back those files is the private key, which is in the hands of the culprits (that is unless you have a backup of your files).

And that is why you’re left with no other option than to pay the ransom. That’s why even theFBI recommends to pay the ransom.

That is simply not feasible with IoT. First of all, with most IoT data being stored in the cloud, there’s little or nothing of value on the devices themselves. So even if the data becomes encrypted, there’s little incentive for the owner to pay the ransom.

Which means, ransomware attackers will have to fall back to the older form of ransomware, the one that locks your device and ransoms you for regaining access to its functionality. And that is as trivial to overcome as resetting the device and installing new patches and updates, which is even easier to accomplish with IoT devices than PCs.

The second argument that discredits IoT ransomware has to do with the perspective of the attackers. Ransomware developers are always looking to make the most money for the least effort. So an exploit of Windows or Adobe Flash or Internet Explorer will enable hackers to target hundreds of millions of users. But IoT devices are so various that each of them would have to be targeted in a different way, which would make it more of a challenge for hackers.

There’s also the minor issue of needing a user interface such as a screen display to inform the user that they’ve been hacked by ransomware. A considerable percentage of IoT devices lack any display mechanism and the hackers will have to go the extra step of discovering the user’s email or hacking the app that controls the device as well.

These factors will not create enough financial motivation for hackers to invest in IoT ransomware. Or so we think.

Why should it be taken seriously?

The correct use of IoT ransomware hinges on being timely and critical, not on being irreversible. The entire point is to strike at the target at a time and place where they won’t be able to reset the device or counter the effects of the ransomware and will be more willing to pay the ransom.

So instead of looking for valuable files on your Nest Thermostat, hackers will lock it up with ransomware while you’re away on vacation and send you a notification to tell you that your smart home has been hacked and you either have to pay a ransom or the thermostat gets locked at a high temperature. By the time you fly back home to disable or reset the thermostat, your home will get fried, and if not, you’ll have to settle for the huge electricity bill that will come at the end of the month because of the active use of the appliance.

In the connected car industry, hackers will track you down and hack your car while you’re on a desert highway, with no means to fix the problem on your own and no access to service centers. Then you’ll be forced to either cooperate with the hackers or hitchhike your way to the nearest city to get help.

In industrial IoT, things can get even nastier. Imagine a hacked power grid (and these things do happen). The hackers won’t give you 48 or 72 hours to hand over the cash, as is the case with traditional ransomware. They’ll give you 30 or 45 minutes turn over bitcoins. And after that, it’ll be total blackout.

Medical IoT can become an attractive target for ransomware as well. Your pacemaker or drug infusion pump in the control of hackers can be a dangerous situation. How about handing over a bitcoin or seeing your heart skip a beat?

Final words

The IoT ransomware model is fundamentally different from the computer and laptop paradigm, but no less dangerous. It is only a matter of time before hackers decide it’s worth their time and try their hand at hacking IoT devices for ransom. This is another reminder of the cybersecurity tradeoffs that IoT poses on consumers.

What’s important is that we keep our vigil and stay prepared to protect ourselves and our devices against such attacks. I will soon be writing about IoT ransomware and the possible solutions. I welcome any sort of expert opinion on the topic.

Image Source: Lorenzo Franceschi-Bicchierai/Vice Motherboard

Read more…

For IoT and M2M device security assurance, it's critical to introduce automated software development tools into the development lifecycle. Although software tools' roles in quality assurance is important, it becomes even more so when security becomes part of a new or existing product's requirements.

Automated Software Development Tools

There are three broad categories of automated software development tools that are important for improving quality and security in embedded IoT products:

  • Application lifecycle management (ALM): Although not specific to security, these tools cover requirements analysis, design, coding, testing and integration, configuration management, and many other aspects of software development. However, with a security-first embedded development approach, these tools can help automate security engineering as well. For example, requirements analysis tools (in conjunction with vulnerability management tools) can ensure that security requirements and known vulnerabilities are tracked throughout the lifecycle.  Design automation tools can incorporate secure design patterns and then generate code that avoids known security flaws (e.g. avoiding buffer overflows or checking input data for errors). Configuration management tools can insist on code inspection or static analysis reports before checking in code. Test automation tools can be used to test for "abuse" cases against the system. In general, there is a role for ALM tools in the secure development just as there is for the entire project.
  • Dynamic Application Security Testing (DAST): Dynamic testing tools all require program execution in order to generate useful results. Examples include unit testing tools, test coverage, memory analyzers, and penetration test tools. Test automation tools are important for reducing the testing load on the development team and, more importantly, detecting vulnerabilities that manual testing may miss.
  • Static Application Security Testing (SAST): Static analysis tools work by analyzing source code, bytecode (e,g, compiled Java), and binary executable code. No code is executed in static analysis, but rather the analysis is done by reasoning about the potential behavior of the code. Static analysis is relatively efficient at analyzing a codebase compared to dynamic tools. Static analysis tools also analyze code paths that are untested by other methods and can trace execution and data paths through the code. Static analysis can be incorporated early during the development phase for analyzing existing, legacy, and third-party source and binaries before incorporating them into your product. As new source is added, incremental analysis can be used in conjunction with configuration management to ensure quality and security throughout. 

Figure 1: The application of various tool classes in the context of the software development lifecycle.

Although adopting any class of tools helps productivity, security, and quality, using a combination of these is recommended. No single class of tools is the silver bullet[1]. The best approach is one that automates the use of a combination of tools from all categories, and that is based on a risk-based rationale for achieving high security within budget.

The role of static analysis tools in a security-first approach

Static analysis tools provide critical support in the coding and integration phases of development. Ensuring continuous code quality, both in the development and maintenance phases, greatly reduces the costs and risks of security and quality issues in software. In particular, it provides some of the following benefits:

  • Continuous source code quality and security assurance: Static analysis is often applied initially to a large codebase as part of its initial integration as discussed below. However, where it really shines is after an initial code quality and security baseline is established. As each new code block is written (file or function), it can be scanned by the static analysis tools, and developers can deal with the errors and warnings quickly and efficiently before checking code into the build system. Detecting errors and vulnerabilities (and maintaining secure coding standards, discussed below) in the source at the source (developers themselves) yields the biggest impact from the tools.
  • Tainted data detection and analysis: Analysis of the data flows from sources (i.e. interfaces) to sinks (where data gets used in a program) is critical in detecting potential vulnerabilities from tainted data. Any input, whether from a user interface or network connection, if used unchecked, is a potential security vulnerability.  Many attacks are mounted by feeding specially-crafted data into inputs, designed to subvert the behavior of the target system. Unless data is verified to be acceptable both in length and content, it can be used to trigger error conditions or worse. Code injection and data leakage are possible outcomes of these attacks, which can have serious consequences.
  • Third-party code assessment: Most projects are not greenfield development and require the use of existing code within a company or from a third party. Performing testing and dynamic analysis on a large existing codebase is hugely time consuming and may exceed the limits on the budget and schedule. Static analysis is particularly suited to analyzing large code bases and providing meaningful errors and warnings that indicate both security and quality issues. GrammaTech CodeSonar binary analysis can analyze binary-only libraries and provide similar reports as source analysis when source is not available. In addition, CodeSonar binary analysis can work in a mixed source and binary mode to detect errors in the usage of external binary libraries from the source code. 
  • Secure coding standard enforcement: Static analysis tools analyze source syntax and can be used to enforce coding standards. Various code security guidelines are available such as SEI CERT C [2] and Microsoft's Secure Coding Guidelines [3]. Coding standards are good practice because they prevent risky code from becoming future vulnerabilities. As mentioned above, integrating these checks into the build and configuration management system improves the quality and security of code in the product.

As part of a complete tools suite, static analysis provides key capabilities that other tools cannot. The payback for adopting static analysis is the early detection of errors and vulnerabilities that traditional testing tools may miss. This helps ensure a high level of quality and security on an on-going basis.

Conclusion

Machine to machine and IoT device manufacturers incorporating a security-first design philosophy with formal threat assessments, leveraging automated tools, produce devices better secured against the accelerating threats on the Internet. Modifying an existing successful software development process that includes security at the early stages of product development is key. Smart use of automated tools to develop new code and analyze existing and third party code allows development teams to meet strict budget and schedule constraints. Static analysis of both source and binaries plays a key role in a security-first development toolset. 

References

  1. No Silver Bullet – Essence and Accident in Software Engineering, Fred Brooks, 1986
  2. SEI CERT C Coding Standard,
  3. Outsource Code Development Driving Automated Test Tool Market, VDC Research, IoT & Embedded Blog, October 22, 2013

 

Read more…

iot security

By Ben Dickson. This article originally appeared here.

A recent DDoS attack staged against a brick-and-mortar jewelry store highlights just how devastating the negligence of IoT security can become. The attack, as reported by SC Magazine, involved a 35,000 HTTP request per second flood carried out by an IoT botnetof more than 25,000 compromised CCTV cameras scattered across the entire globe, causing the shop’s servers to go down.

As detailed by cybersecurity firm Succuri, the attack is unusual because it has only used IoT devices and also because of its uncommonly lengthy duration. After the initial wave, when the servers were brought back online, a second, bigger attack, with a 50k HTTP RPS, was conducted, which lasted for several days.

A separate report by Computer Weekly details how the LizardStresser malware is creating IoT botnets by exploiting vulnerable devices, and is mounting massive 400 gigabits-per-second DDoS attacks without using amplification techniques.

This is just a glimpse of the opportunities that the Internet of Insecure Things is providing for malicious actors who are always looking for new ways to break into networks to defraud organizations of their cash and valuable assets, or to harm opponents and competitors.

You’ve been warned about IoT botnets before

While the rise in DDoS attacks based on IoT botnets is new, it wasn’t unexpected. In fact, after 2015 became the year of proof-of-concept attacks against the Internet of Things, it had been predicted that IoT devices would become a very attractive target for bot herdersin 2016.

As Dark Reading’s Ericka Chickowski said in this post, “2016 is going to be the year that attackers make a concerted effort to turn the Internet of Things (IoT) into the Botnet of Things.”

Researchers from Incapsula first warned about IoT botnets last year after detailing an attack they discovered which they tracked back to CCTV cameras at a retail store close to their office. And with insecure IoT devices becoming connected to the internet at a chaotic pace, hackers have good reason to give up general purpose computing devices, such as desktop and laptop computers, to go after the easier targets.

What makes IoT device such easy prey for botnet malware?

There are many reasons that IoT devices – and in this case CCTVs – make very attractive targets for bot herders. As Igal Zeifman, senior digital strategist from Imperva, detailed in the Incapsula blog post, “Security cameras are among the most prevalent and least protected IoT devices. Moreover, many have high upload connections, meant to support their remote streaming functionality.”

What makes it easy to conscript CCTVs ­– and other IoT devices for that matter – into botnets? According to Chris Hodson, CISO for EMEA region at cloud security company Zscaler, who spoke with SC Magazine, it’s because the security development lifecycle for IoT devices is often expedited or bypassed due to strict deadlines around time to market or the cost of the hardware.

This is a point that I’ve also raised on several occasions: one of the fundamental problems with IoT security is that the developers often come from an unconnected background, such as embedded systems, which means they have the knowhow to provide functionality but aren’t versed in the principles to write secure code for connected environments. In other cases, security is advertently neglected for the sake of meeting release deadlines of cost requirements.

Researchers at Arbor Networks summed up the prevalence of IoT botnet malware in four reasons:

  • The operating system of IoT devices is usually a stripped-down version of Linux, which means malware can be easily compiled for the target architecture.
  • IoT devices usually have full access to internet and aren’t subject to bandwidth limitations or filtering – which is very true in the case of CCTVs.
  • Minimal operating systems running on IoT devices don’t leave much room for security features such as auditing, which lets attackers compromise and exploit the devices without leaving trace.
  • There’s a lot of hardware and software reuse in IoT development, which means a lot of security-critical components become shared between devices. (Just take a look at “House of Keys” research by SEC Consult, which shows how the reuse HTTPS certificates and SSH keys endangers millions of devices.)

The part that concerns consumers is the carelessness in dealing with IoT device security. Since IoT devices aren’t as personal as, say, smartphones or PCs, users tend to “install and forget” IoT devices. Bad practices such as not changing passwords, or worse, leaving devices installed with factory-default passwords are epidemic in IoT ecosystems, which makes it very easy to find administrative access to the device and install IoT botnet malware into it.

What can be done about the IoT botnets?

I just wanted to raise the challenge of IoT botnets in this post. The response will be the subject of a future article. But very briefly, a lot can be done to mitigate the threat of IoT botnets in the future. For one thing, security should become a major factor in IoT development. As Cesare Garlati, chief security strategist at prpl foundation told SC, “The very fact that patching isn’t high on the priority list for admins is testament to why security in devices like CCTV cameras needs to be ‘baked in’ at the chip or hardware layer.”

We’ve already seen the efficiency of hardware security in the headaches that Apple gave the FBI in the San Bernardino iPhone case. Having devices that are secure at the hardware level will go a long way into hardening our defenses against exploits, including IoT botnets.

Moreover, we should also recognize that some IoT devices can’t be secured at the device level and therefore must be secured at the network level. Deploying network security solutions, like the ones I’ve described in this TNW article can help a lot in providing security against IoT botnets for devices that are inherently insecure.

These are just two tips at fighting back against the rising tide of IoT botnets. I’m sure that a lot of you readers out there have brilliant ideas and innovations that can help deal with this situation. Since I’ll be writing about this very soon, I’m eager to know what you’re doing to deal with the IoT botnet threat. Leave a comment, or better yet contact me, to share your ideas.

FEATURED IMAGE: SAVASYLAN/SHUTTERSTOCK

Read more…
A security-first approach to developing IoT device software is critical, a key ingredient is an end-to-end threat assessment and analysis. A threat assessment includes taking stock of the various physical connections, potential losses/impacts, threats and the the difficulty of the attack. Importantly, addressing these threats needs to be prioritized based on likelihood and potential impact.
Read more…

Why is the IOT Catnip to Hackers ??

Why is the IOT Catnip to Hackers?

The latest developments in IoT security will protect the companies that use them from disastrous hacks

Rob Enderle writing in CIO Magazine May 20 about a new security certification for IOT products lauded the new offering and cited other measures that responsible IoT businesses must take to secure the future of their companies. His opinion piece couldn’t come at a better time.

Those of us watching the IOT “back door” swing open to hackers have been wondering how and when a product certification like this would become industry standard. Underwriter Laboratory’s Cybersecurity Assurance Program (CAP) just might work. But it’s only a start.

The three-level certification process, according to Enderle, will work fine as long as it’s subject to a “rigorous audit process.” However, he also agrees that using a remote network hub with security stopgaps in place (which is what most are doing now) won’t do a thing to protect wireless devices.

Where we are now, where we need to go

During the NXP/FTF Technology Forum 2016, a group of panelists was asked if the Internet of Things was secure yet. What do you think they answered? Yes, they said, no.

Here’s the rub—and the same thing that Enderle writes about: The connected devices in cars, homes, phones need to have specialty security hardware to stop many attacks. Another missing link, according to Global Business Development Manager Damon Kachur at Symantec, is the need to institute “a massive education process compelling security providers to educate consumers on how to operate their devices securely.”

Using cryptography, requiring several rounds of authentication per day, and manufacturers hiring hackers to break into their IoT devices before they put them on the assembly line—these were also solutions that Forum panelists came up with to secure the IoT.

Horror stories averted?

The stories with the highest profiles are those that see connected cars taken over and crashed; cell phones hijacked and set on fire; and that Target breach, when hackers stole credit cards from Target headquarters using the building’s HVAC systems to get in. What else do we need to do, besides work on certification processes and make sure that before we build the next IoT device, we’ve protected it from hackers?

It’s clear that businesses engaged in the IoT revolution need to make security “job one”. There are heartening signs that this indeed is the case. A recent Accenture paper on IOT security claimed that “businesses surveyed by the World Economic Forum identified cyber-attack vulnerabilities as their most important IoT concern.” And an article last month in Forbes reported that venture capitalists are now “following the money” to underwrite cybersecurity start-ups: “Boston-based Lux Research says investment in “cyberphysical” security startups rose 78% to $228 million in 2015, and will increase to $400 million this year. The report cites rapid adoption of IoT tech, with the potential threats it brings in the area of internet connectivity in cars, homes and factories.”

Businesses that are eager to make money on the IOT without being willing to spend the money on securing it will be increasingly prone to customer data breaches and other high-profile disasters that will close their doors—and slow the adoption of IoT devices—and spending—for years to come. Smart companies need to make an investment in securing their latest IoT game changing use-case or product-- or their customers and partners won’t want to make an investment in them.

Read more…

Security-First Design for IoT Devices

Machine to Machine (M2M) and Internet of Things (IoT) realities mean that more and more devices are being deployed and connected to each other. This connectivity is both the promise of IoT (data gathering, intelligent control, analytics, etc.) and its Achilles’ heel. With ubiquitous connectivity comes security threats -- the reason security has received such a high profile in recent discussions of IoT.
Read more…

Upcoming IoT Events

6 things to avoid in transactional emails

transactional man typing

  You might think that once a sale has been made, or an email subscription confirmed, that your job is done. You’ve made the virtual handshake, you can have a well-earned coffee and sit down now right? Wrong! (You knew we were…

Continue

More IoT News

IDG Contributor Network: 20 awesome Apple websites

Apple is one of the richest, best known companies on the planet. Apple’s products generate reams of news, reviews, discussions and opinion columns everyday around the web.

But the company’s very prominence can make it hard to know which…

Continue

IoT Career Opportunities