When the internet of things misbehave!“THE internet of things” is one of the buzziest bits of jargon around in consumer electronics. The idea is to put computers in all kinds of products—televisions, washing machines, thermostats, refrigerators—that have not, traditionally, been computerised, and then connect those products to the internet.If you are in marketing, this is a great idea. Being able to browse the internet from your television, switch on your washing machine from the office or have your fridge e-mail you to say that you are running out of orange juice is a good way to sell more televisions, washing machines and fridges. If you are a computer-security researcher, though, it is a little worrying. For, as owners of desktop computers are all too aware, the internet is a two-way street. Once a device is online, people other than its owners may be able to connect to it and persuade it to do their bidding.On January 16th a computer-security company called Proofpoint said it had seen exactly that happening. It reported the existence of a group of compromised computers which was at least partly comprised of smart devices, including home routers, burglar alarms, webcams and a refrigerator. The devices were being used to send spam and “phishing” e-mails, which contain malware that tries to steal useful information such as passwords.The network is not particularly big, as these things go. It contains around 100,000 devices and has sent about 750,000 e-mails. But it is a proof of concept, and may be a harbinger of worse to come—for the computers in smart devices make tempting targets for writers of malware. Security is often lax, or non-existent. Many of the computers identified by Proofpoint seem to have been hacked by trying the factory-set usernames and passwords that buyers are supposed to change. (Most never bother.) The computers in smart devices are based on a small selection of cheap off-the-shelf hardware and usually run standard software. This means that compromising one is likely to compromise many others at the same time. And smart devices lack many of the protections available to desktop computers, which can run antivirus programs and which receive regular security updates from software-makers.Ross Anderson, a computer-security researcher at Cambridge University, has been worrying about the risks of smart devices for years. Spam e-mails are bad enough, but worse is possible. Smart devices are full-fledged computers. That means there is no reason why they could not do everything a compromised desktop can be persuaded to do—host child pornography, say, or hold websites hostage by flooding them with useless data. And it is possible to dream up even more serious security threats. “What happens if someone writes some malware that takes over air conditioners, and then turns them on and off remotely?” says Dr Anderson. “You could bring down a power grid if you wanted to.”
That may sound paranoid, but in computer security today’s paranoia is often tomorrow’s reality. For now, says Dr Anderson, the economics of the smart-device business mean that few sellers are taking security seriously. Proper security costs money, after all, and makes it harder to get products promptly to market. He would like legislation compelling sellers to ensure that any device which can be connected to the internet is secure. That would place liability for hacks squarely on the sellers’ shoulders. For now, he has had no luck. But Proofpoint’s discovery seems unlikely to be a one-off.Good people, lets have your opinion(s).
JUST READ THIS INTERESTING ARTICLE, AND DECIDED I SHOULD SHARE IT WITH ALL MY FRIENDS IN HERE.Article originally posted on the Infoworld website.Recently, I was asked by an instructor at a technical college if I would mind responding to some of his students' questions. I happily agreed. Ultimately, this resulted in a lively back-and-forth session, so I decided to share the exchange with you. Enjoy!Question 1: Microsoft just announced a huge list of security patches for "Patch Tuesday." Why doesn't it just focus on a single product and fix all of the security holes in one shot?
Finding bugs in products doesn't work that way. Every product that Microsoft codes goes under dozens of manual and automated tool reviews. That scrutiny is vital because Microsoft is the biggest target, and as a result Microsoft products actually have fewer vulnerabilities than those of its nearest competitors. But even with the right tools and processes, you can't catch everything.New techniques are found, mistakes are made, and until you have perfect humans, you'll never have perfect code and you'll never have perfect bug detecting.Here's a good example. Years ago someone discovered they could buffer-overflow the HTLM color attribute field located on Web pages as it was rendered in a popular browser. No browser vendor at the time ever thought the color attribute field could be abused. The vendor's security reviewers didn't know to look for it and neither did any of the private or third-party tools, despite the fact that every field should be boundary-tested. Now all vendors check for it. Everything looks easier in hindsight -- improving software is an evolving process.Question 2: In one of your blog posts, you mentioned something like: "The NSA could be hiding small snooping programs in, let's just say, a picture of a cute kitten or a fun Android game." So how can the average Joe ever know that what they download is the real picture or app with no hidden malware in it?
The short answer is you can't -- not even close. The only thing you can do is decide to trust the entity that created the device or code, especially if it is digitally signed. Because as long as their digital-code signing cert wasn't compromised or the machine the code was signed on wasn't compromised, at least you can say that the code the developer signed was what they signed when they signed it. But the truth is you really don't know.It's all a matter of faith and trust. Certainly some vendors deserve more trust than others. Personally, I believe we need to "fix" the Internet and make hacking and snooping, even by the NSA, easier to prosecute and easier to detect. It disturbs me greatly that what the NSA does is completely legal ... and most countries don't even have the laws that we do. I wish everyone's privacy laws were stronger. In the United States, we need to modify our Constitution to guarantee more personal privacy. I thought the amendment against unreasonable search and seizure did that, but it's not even close to being enough these days.Question 3: I liked your article "Crazy IT security tricks that actually work." Someone dismissed your points of "security through obscurity." If these things work, then why would the IT Industry be so quick to discount them?People repeat dogma as fact, when all you're really talking about are cute little sayings that were a stretch from the beginning. Obscurity is one part of security. It shouldn't be relied upon as the only defense, but it certainly plays a big part. If it didn't, every army would tell the other army what all their capabilities were, where all the weapons and troops were, and make everything "transparent."The best thing I can say to anyone trying to learn is not to accept everything you hear at face value. Respect what other, more learned people say, but don't accept anything as gospel unless you do it or see it yourself. Stay skeptical.Question 4: If Stuxnet was the most complex piece of malware ever created, then couldn't the "sons of Stuxnet" wreak havoc across all of the Internet and not just at the Iranian nuclear facility?
This is a huge, huge fear of a lot of people. However, I expect that one day a much less complex piece of malware will "crash" the Internet. Sophisticated malware is needed only for sophisticated scenarios. Crashing the Internet or stealing from banks is easily accomplished with conventional malware. Hackers are likely stealing tens of millions of dollars every day, if not hundreds of millions. They are allowed to get away with it, and the public accepts it as a cost of doing business because they stay below a certain threshold. One day one of them will make a mistake, steal too much, and the world will freak out and finally fix the Internet.Question 5: It has been widely reported that the NSA put backdoors into a bunch of different programs. How do we know these backdoors have been closed?
Most of them probably haven't been closed. Until we get their complete list of software exploits, which is highly unlikely, we'll never be able to do it. And it's not just the NSA you have to worry about, but every sophisticated government and hacker group. Software is full of exploitable holes that only certain people have knowledge of.Question 6: We're being taught to hack. What is to stop us from being evil with the knowledge we've been given?
Hacking is actually fairly easy. It's like a cookbook recipe: Once you know how to hack, it's mostly a repeatable process. Most hackers simply mimic what someone else did. They seldom think of anything new. You want to impress me? Do something new. Most hackers are followers.The smartest hackers are the good guys. It's easy to hack; it's much harder to defend. It's easy to tear down a barn with a saw and a sledgehammer; it's much harder to build the barn. It's even more impressive to build a barn that can resist the saw and the sledgehammer.You shouldn't hack illegally for the same reason you shouldn't assault someone. It's morally wrong. I've had the skills to hack illegally for over two decades. I get paid to hack legally all the time. Over the past nine years it's never taken me more than an hour to break in (except one time, when it took me three hours). This includes banks, hospitals, government agencies, and Fortune 500 companies. It's not that hard to hack. And guess what? I make a very good living -- far better than I could ever have imagined. I am living the dream.Legal hacking allowed me to accomplish this, and I don't have to worry about the feds arresting me. If you go the illegal route, it's going to catch up with you eventually. It always does. You can make more money and sleep well at night by hacking legally. You'll have a better career and a better life doing the right thing.Question 7: I read that no matter how long or complex your password is, that it can be broken by a pass-the-hash attack. True?
In a sense. PtH (pass-the-hash) attacks require that the attacker obtain local administrator status on the box they are stealing hashes from (or obtain domain administrator on a domain controller). If you have that sort of access, then what can't you do?That said, if attackers steal the ultimate authentication secret -- for example a password, a password hash, a Kerberos token, a ticket, and so on -- they have the ultimate authentication they need to do almost anything. Length of password, hash, digital certificate key, and so on will not protect you.PtH attacks are a valid concern, but if they went away completely (Windows Server 2012R2 has plenty of PtH defenses built in), it would not stop attackers in the slightest ... because they already own the box. They can just do keylogging, Trojan the machine, or modify the operating system. We should be more concerned about how attackers get that elevated access in the first place, not focused on what they do with it once they have that access. ... Because sky is the limit and there is no defense.Question 8: Is the NSA leaker a hero or a traitor?
He's a bit of both. Ultimately, he broke his NDA and many laws. He has put other people's lives at risk. He should be punished for that. The only rationale to do what he has done is if what you are revealing is illegal or unconstitutional. So far nothing he has revealed is either of those things. Nothing he has revealed is a surprise to those of us who follow the NSA.Just read any James Bamford book. He was writing about the NSA's capabilities 25 years ago. The only new things that he revealed, to those of us who follow the NSA, is names of programs and perhaps some individual exploits.That said, he is to be applauded for bringing the excesses of what the NSA is legally allowed to do to the public masses. I'm hoping that everyone being upset with the NSA will lead to laws being changed, so the NSA cannot legally collect everything they are already collecting. It upsets me, and others, that it took a single employee breaking the law to make the rest of the world up in arms about something we've known for years if not decades.Question 9: We discussed the FBI takedown of the Silk Road in class and I was wondering: If the NSA has all of the access to our personal lives, why did it take the FBI three years to take them down?
Law enforcement is always slow, especially when it crosses multiple jurisdictions. It takes time to start legal projects, collect evidence, obtain warrants, and proceed. But I suspect that most of the time was spent just getting on the FBI's already busy radar. The FBI, like your own company, has a budget and a project plan each year. I bet Silk Road wasn't on the radar until enough people started complaining. Plus, many times the investigation goes on far longer than what's needed to collect evidence, as perpetrators go after bigger targets and commit more crimes, resulting in easier-to-prove court cases and longer jail sentences.Also, the NSA and the FBI don't always share information. The NSA, for the most part, doesn't care about drug trafficking, money laundering, theft, and a lot of the other things the FBI cares about. As bad as our laws are, the NSA can't simply share what it has with other legal entities.Question 10: I want to work in information security, first as an administrator then ultimately as a consultant. What is the best certification to pursue?
I have about 50 certifications, and I learned something new from each one of them. Each cert made me a more knowledgeable technician, and each gave me something that made me more employable. But if you're talking about which ones count the most, that's a slightly different answer: It's the certification most relevant to your potential employer or its customers.Fortunately or unfortunately, experience counts more. Because of that, you want to pick certs that give you both credentials and real hands-on experience. I like the CompTIA stuff. It teaches a lot. But their certs are basically thought of us "base" certifications. When you earn one of those, you know the basics. Still, great to know, and you will learn something.Personally, I'm not a huge fan of the CISSP (because it's a lousy test), but it's probably the one cert that most employers and clients like to see. I think it's because bosses and clients often have it and think it was hard, so they like to know other people they are hiring had the same hard time with it.I'm a huge fan of anything SANS does or offers. I think the SANS courses, books, instructors, and certs teach you more hands-on experience than any of the other relative certs. When I see someone with a SANS cert, I immediately trust them. It's the security geek's CISSP. I also like the CEH and other certified auditor exams. Each has its benefits. Each teaches you something.Question 11: What kind of tools should I run to make sure my PC is clean (or as clean as possible)?I never recommend a particular product. They are all fairly accurate, and they all fail miserably on a daily basis. Don't believe any of the "accuracy tests" you read. It's not that the tests are inaccurate, it's that they often set specific parameters that (accidentally or otherwise) benefit particular products.I've been in the AV field since 1987. Accuracy goes up and down on every product over time. Just pick one that is reasonably accurate and one that doesn't kill your system's performance. You should run AV, but remember that 99 percent of all successful exploits are caused by unpatched software.Question 12: How can I detect if my computer has been turned into a bot to help perpetrate a DDoS attack?It can be hard, especially if your computer has been hit with a rootkit. AV is supposed to detect that sort of stuff, but it often misses it. I love to do two things to look for bot programs myself. First, I use the free utility Autoruns. It will show you everything that is running when your PC starts. It will be a hundred things. Research anything you don't recognize. When in doubt, uncheck the program and reboot. If it breaks something, run Autoruns again and recheck.Second, download TCPView from Sysinternals. Close every program you think could possibly be communicating with the Internet. Then run TCPView. Research any programs or processes that are communicating with the Internet. Most of the time you'll see one or more things connecting to the Internet that you didn't know about. This is normal. Usually they are just legitimate programs connecting back to the vendor doing something the vendor programmed them to do. Research the destination connection points. If you can't figure out what the program is connecting to and whether it is legitimate, consider using Autoruns to disable it.But the truth is that malware programs can be very difficult to discover and remove. When in doubt, back up all your data, reformat (or reset), and reinstall everything again. This is the only way to truly know that you are starting with a clean state.Question 13: I use a MacBook Pro. I know it is built on Darwin Unix, but is it truly more virus-resistant than Windows 7 or 8?Yes and no. No, in that OS X has far more vulnerabilities than Windows -- and I don't mean a little. Windows gets about 120 to 200 bugs a year. OS X gets two to three times as many, if not more.With that said, because OS X runs on only 5 to 10 percent of the world's computers, it still isn't a very big target. Bad guys target popular things because they are more likely to get something of value. Running OS X will probably incur less risk compared to a Windows computer -- probably significantly less risk.Note that computer viruses aren't nearly as common as worms, Trojans, and other sorts of malware. Use the term "malware" or "malicious program" instead of "virus." Virus indicates only one type of malware.
These performance tips will work for any PC running Windows Vista, Windows 7 or Windows 8.Want more speed? "This PC is so slow!" This is a cry that's been uttered by PC users since, well, PCs were first invented.Since we don't think that there's anyone out there who wouldn't like to squeeze a little more performance out of their PC, we've pulled together six top tips that will help you get the most out of your Windows PC, without having to spend a fortune.These tips will work for any PC running Windows Vista, Windows 7, and Windows 8.Get rid of the junkThere's nothing like having loads of junk installed on a system to turn even the best PC into a river of molasses.There's two sorts of junk to consider. The first is the stuff that the PC makers install into new PCs, and the other is the junk that you (and other people using the PC) have installed on it.Add more RAMWhile not a free option, installing RAM is, without a doubt, the single best bang-for-your-buck hardware upgrade you can carry out on a PC. And adding RAM has never been cheaper, with an extra 4GB costing around $60.If you've got a reasonably fast USB drive laying about the place then you can use this to give your PC a performance boost by using it as a ReadyBoost drive.The ReadyBoost feature, which is part of Windows Vista and above, and allows flash memory – in the form of a USB flash drive, SD Card, Compact Flash card, or SSD – to be used as a high-speed cache to boost performance as long as they meet the following criteria:· Capacity of at least 256MB, with at least 64KB of free space· At least a 2.5MB/sec throughput for 4KB random reads· At least a 1.75MB/sec throughput for 1MB random writesMaking use of ReadyBoost is easy.· Plug the drive into the PC.· Either click on > from the dialog box, or right-click on the drive in Windows Explorer and choose and then click on the tab.· Choose whether you want to dedicate the drive to ReadyBoost (which prevents you from using it as storage), or use a portion of it for ReadyBoost.· Click .Defragment your drivesCarrying out a regular defragment of your PC is a good idea if you want to keep it in tip-top condition. The only think to bear in mind is that you shouldn't, under any circumstances, defragment an SSD drive. Not only will you get zero benefit from it, but you will seriously shorten the life of the drive.But if you are still running regular hard drives then Windows is set to defragment your system once a week, but you should check to see that this is on and that all your drives are defragmented. You can run the Disk Defragmenter any time you feel you've made a lot of changes to the data on your drives.It can be accessed from:· : > > > >· : Open the Charms bar and search for "Optimize Drives" and then click onThere's a lot of voodoo written on the web about defragmenting drives, and there are all manner of arcane command-line switches you can use to carry out different sorts of defragment. In my experience, a simple defrag once a week is all you need.Add powerIf you have a notebook system that's a bit sluggish then the easiest way to speed if up is to connect it to a power supply!Windows can detect if it is running on a notebook systems and it will switch over to a low power profile when it detects that it is running on battery power. While this is good for battery life, it's bad for performance, so if you want more oomph from the system, connecting it to a power supply will restore performance to normal levels.You can go digging around in the bowels of Windows and make permanent changes to the power profiles, but I don't recommend this as it will have a huge detrimental effect on battery life. It's much easier to remember to hook up the system to a power supply when you want more performance.Install the latest driversThe drivers that control your hardware can have a huge effect on how well your system runs, and one of the drivers that's key to system performance is the graphics card driver.While people who rely on the default Windows driver or who don't care about performance might never need to think about their graphics card driver, anyone who care about getting the best from their hardware – and especially anyone who is into PC gaming – should probably check to see if there's an updated driver every few months because it can make a huge difference to how well games run.Other drivers worth checking regularly are the motherboard drivers (which can have a huge effect of data transfer rates to and from your hard drives), and drivers for any external hardware you use.
For those of us that have worked in the IT industry, we are well aware of the image of the IT department at most businesses. Arrogant, rude, obstructive; these are just a few words that have typically been associated with IT. Stereotypes likes these can limit effectiveness and make it difficult for your IT department to do its job. Improving the image of your IT department is something that is not only beneficial to your employees, but also the company as a whole.
Demonstrate that you're human beingsThe most common mistake made by IT departments is that they forget that the majority of their work is customer-service based. This means that there is a great deal of human interaction required and you must learn to deal with other people.Too often, because most IT problems can be solved remotely, members of the IT department will spend almost all of their time in their respective office. It is important to get involved around the office and not hide out in the IT department.Getting out of the IT department every now and again will give you the chance to meet the users and establish relationships with them. This also gives them a chance to put a face and name to the IT department which is much harder to put a negative connotation on. It may be a good idea to occasionally go help a user face to face even when it's unnecessary as this will help them understand what goes into fixing an IT problem. This will help users remember that the IT department is made up of human beings and not a group of robots who can magically solve all their problems instantly.Establishing a good rapport with the users will make things easier for everybody. You will be less frustrated with their requests and they will be more patient and appreciative of your efforts to find them solutions.
Communicate and educateMaintaining communication with users as well as continuously educating them will improve your IT department's image and efficiency.Communication is something that is important throughout the entire company, but it may be most important between users and the IT department. By keeping open lanes of communication with users you can show that your department is accessible and easy to get in touch with. This will improve your image within the company as well as increase efficiency as users will be more comfortable coming to you with issues early, rather than waiting until a major problem develops.Education is equally essential to improving your department's image. Informing users on basic IT solutions is beneficial to both parties and can be done in a number of ways. One way to do this is by organizing meetings or workshops with employees from every department where you can work hands-on with users to help them better understand IT processes.Games/competitions can be incorporated into these workshops and prizes can be given away to add some excitement. Providing those who attend the opportunity to win a raffle prize could also be used as an incentive. Another way to keep users informed is by including a monthly IT column in the company newsletter that offers tips and advice for basic IT issues. This will improve the department's image as users will see you as being genuinely helpful and it could also save you some time as users may be able to fix a problem themselves rather than by contacting IT.
Be personable and avoid jargonFinally, the simplest thing you can do to improve you IT department's image is to just be personable. If you are friendly and patient with users, then they will give you the same courtesy. The "golden rule" applies well here and it is important to remember that if you are rude and short with users they are unlikely to listen to your suggestions which could lead to the frustration of fixing the same problem over and over again.Also, remind yourself that you are interacting with a person who more likely than not doesn't know as much about technology as you do (otherwise they would probably be in the IT department). It is important to avoid jargon and terms that those unfamiliar with IT may not understand. This needs to be done without talking down to the person, as doing so will only cause resentment. It is incredible how beneficial simply being polite can be to your department's overall success.
Improving the image of your IT department within your company can contribute directly to a more successful and effective department. An improved reputation for your department will make it much easier (and less stressful) to do your job. Although there are some negative views and stereotypes associated with IT, it is possible to take actionable steps towards abolishing these stereotypes and improving your image into one that is held in high regard.