Published earlier by The Mobility Hub of UBM Techweb INTERNET OF THINGS OPENS A PANDORA’S BOX OF CYBER-ATTACKS BY KISHORE JETHANANDANI M2M devices had an isolated existence in industrial plants, utilities,

hospitals, transportation and smart buildings and security from cyber-

attacks was not a concern. As Application Programming Interfaces

expose M2M devices to the larger world of the Internet, their ubiquity is

haunting the IT world with the prospect of pervasive and catastrophic

cyber-attacks that will affect sensitive industrial controls and medical

devices. Worse, a security breach could cause physical harm.

Protection of the Internet of Things is fraught with unique challenges

especially because the software is embedded in the hardware device

and is wrapped up with the core of the intellectual property. It is often

not possible to patch and update embedded software remotely and

continuously to keep it safe without dissembling the hardware at the

risk of downtime and damage to the interconnected software. Some

protocols like Modbus are not designed to secure against intrusions.

Hardware manufacturers are wary of revealing the vulnerabilities of the

software lest the information spill to malware developers or the source

code find its way to competitors.

The paradigm that guided security management of the Internet of

devices, using downloadable software, is rife with flaws that are hard to

repair with known methods of security management. Authentication

plays a vital role when humans use devices. By contrast, M2M devices

are remotely controlled by another instrument. Similarly, log file and

event monitoring, a wealth of information for detecting anomalies that

point to intrusion are not known to work well with the Internet of

Things.

“M2M is a booming industry, and hardware manufacturers pre-occupied

with selling devices while users are only beginning to realize the

importance of third-party security specialists to remotely monitor

security,” Spencer Cramer, President and CEO of Ei3 Corporation in New

York told us. “Access to the source code of the embedded device

controllers is needed to integrate with security software,” he informed

us. His company has been in the business of securing M2M devices for

the last fifteen years and specializes in the few verticals that are already

governed by standards. “We have developed a hundred custom drivers

to integrate with the embedded software where standards are absent,”

he revealed to us.

“Economic disincentives dissuade hardware manufacturers from taking

preventive measures before security risks snowball into disasters,”

Andrew Jaquith, Chief Technology Officer and Senior Vice President of

Cloud Strategy at Silversky told us. “Manufacturers do not internalize

the social costs of security breaches due to the absence of liability for

damages, the lack of compulsion to disclose them and the lack of

standards,” Mr. Jaquith explained to us. “Bugs are much cheaper to fix in

the early stages and companies like Codenomicon have the technology

to test for their presence,” he revealed (according to him, he does not

have business relations with the company).

The Internet of Things has opened a Pandora box of new challenges in

Internet security. A new, system-wide strategy is needed to cope. The

widespread ramifications of this new world of security threats need to

be grasped quickly before a possible tsunami of cyber-threats has

cataclysmic effects.

Virtual Counter-intelligence: On the offense against cyber-warfare By Kishore Jethanandani Cyber-security is a misnomer as state-sponsored agents wage war-like

cyber-attacks. The lexicon of cyber-security is increasingly drawing on

the metaphors of physical war, decoys, stalking horses, and counter-

espionage, to describe the offensive means to disrupt hostile intrusions

before they strike their targets.

Deception is common in physical warfare, behind the scenes, as

aggressors seek to mislead their enemies so that they are unable to foil

an attack. The countdown to the defeat of Germany in World War II

began with the Allied forces throwing wool on the surveillance eyes of

their enemies—Hitler was led to believe that an attack was looming in

Pas de Calais and not Normandy. The then newly developed radio

communications technology enabled the Allied forces to transmit pre-

programmed messages, ostensibly originating from diplomatic and

intelligence sources that could be inferred to be an imminent landing at

Pas de Calais. Allied forces had time to sneak across the English Channel

without being routed by forces positioned favorably on land at an

elevation.

Electronic signals can help create illusions to sucker intruders into

mistaking stalking horses for the targets they are seeking. In an earlier

article, we had discussed the vulnerability of control systems of utilities

and other physical facilities, as M2M connects to the Internet, which can

be hijacked by cyber-criminals and manipulated to harm them. For

example, criminals could alter water temperatures so that generators

are not cooled. Cyber-criminals, however, do not have visibility into the

sensors feeding analog data of electrical signals communicating with

control systems. A way to hoodwink cyber-criminals is to feed sensor

data from shell facilities. The nature of the interaction with them will

expose their intentions without doing any damage to the facilities.

Some companies are now specializing in active defense strategies for

trapping cyber-criminals before they reach their target. Datasoft, for

example, creates a cyber-smokescreen with virtualized instances of the

network machines, actually in use, or “honeypots” masquerading as

sources of valued information like login information. Cyber-criminals

are more likely to tamper with the wrong virtual machine and betray

their intentions. Jumpsoft creates a Winchester House-like maze of

shifting virtual systems where a blind alley is hard to distinguish from

the real. Cyber-criminals will recognize the high probability of a trap

and factor that into their risk perceptions.

Active cyber defense techniques are becoming more common as

defensive methods are proving to be increasingly ineffective against

attackers covering their tracks outside and inside the networks of their

victims. Google, for example, followed the footprints of its attackers and

determined them to be agents of the Chinese government. The trail led

to servers in Taiwan where proprietary information from a host of

American corporations was found and eventually led to Chinese

Government sources. One recent survey found that 36 percent of 180

companies surveyed were using offensive techniques against cyber-

criminals—defensive methods have been found to be ineffective with

only 6 percent able to trace the source of attacks.

The rapid increase in applications usage across a broader variety of

mobile devices, networks, and operating systems exposes companies to

an ever-rising risk of cyber-attacks. As the number of users increases,

the higher is the likelihood of inadvertent errors that expose IT systems

to an intrusion. The future is for security systems that can anticipate

and pre-empt cyber crimes.

The specter of pervasive sky-jacking

By Kishore Jethanandani

The countdown to an era of commercial drones has begun with the FAA

approving the first of the six tests for their business use. So compelling

are the applications of drones in remote locations, such as navigating

the perilous snows of the Arctic for shipping companies and the

downside of cyber-security is apparently so minimal that their business

case is seemingly irrefutable.

Cyber-security risks will keep regulators on tenterhooks as they test the

air for drones. Eventually, they want regulations to create a safe

environment for mass adoption of drones in densely populated areas

where the risk of a catastrophe is very high. Intrusion into drones could

potentially have the same devastating effects like the one in the Air

Spain passenger airplane which prevented the alert system from

reporting a system failure and led to its horrific crash. Drones will also

extend the reach of the internet into the far corners of the world and

expose them to the cyber-security risks common in more densely

populated regions.

The cyber-security hell of the future is the hijacking of swarms of

drones. Hackers have shown that any one of these drones, once sky-

jacked, can create a potential entry point for penetrating every other of

its peers in the vicinity. Insecure Wi-Fi connections, with their

unencrypted signals, leave the door open for hackers to take control.

They can then begin to use the hijacked drone as a command center that

would be able to instruct every other of its peers to do its bidding

including engagement in the criminal or war-like activity. The GPS

sensors that guide the movement of unmanned aerial vehicles can be

spoofed to redirect them at will.

Drones have the technological wherewithal to be a network node, a

wireless tower in the skies, and have the ability to intercept signals from

mobile devices as was recently demonstrated in London. They can

masquerade as one of the networks that mobile devices are calling to

connect and unsuspecting users will unwittingly send their private

information to them. As growing numbers of drones loom over mobile

devices, they will have the ability to hijack mobile devices on an

increasing scale.

Drones will inexorably grow in numbers and to prevent their expansion

will be no more practical than it would be for commercial aircraft.

Flying commercial aircraft on auto-pilot is barely distinguishable from a

drone. In fact, some hackers demonstrated a lab-scale version of the

remote hijacking of commercial aircraft with mobile devices including

the ability to spin them in the sky in the manner of a game!

Reliable cyber-security, in such an environment, would need a mastery

of all the protocols, platforms and applications, and the diversity of

operating systems of devices in use all across the system and its

continuous monitoring. It is hard to conceive a system of this size

managed with methods designed for enterprise networks. More likely

their security management will be akin to the heterogeneous telecom

networks with distributed intelligence. Drones will contribute more

complexity with their movements aided by sensors.

The progression of drone use from its early adoption in the military to

remote area commercial applications and widespread use in urban

areas will likely hinge on the successful design of a distributed network

with layers of cyber-security driven by big data. Each sub-system will be

as homogenous as possible with distinct groups of experts managing

each one of them.

Cyber-detectives on the trail of cyber-criminals

By Kishore Jethanandani

Cyber-security in the Enterprise is caught in a dangerous time warp—

the long-held assumption that invaluable information assets of

companies can be cordoned off within a perimeter, protected by

firewalls, no longer holds. The boundaries are porous with many access

points available to a mobile and distributed workforce, and partners’

networks, with remote access rights to corporate data via the cloud.

Mobile endpoints and their use of the cloud for sharing corporate data

have been found to be the most vulnerable conduit that cyber-criminals

exploit for launching the most sophisticated attacks (advanced

persistent threats) intended to steal intellectual property. Poneman

Institute’s survey of cyber-security attacks, over twenty-four months,

found that 71 percent of companies reported that endpoint security

risks are the most difficult to mitigate. The use of multiple mobile

devices to access the corporate network was reported to be the highest

risk with 60 percent reporting so. Another 50 percent considered the

use of personal mobile devices for work-related activity to be the

greatest exposure. The second most important class of IT threats was

perceived to be thirty-party cloud applications with 66 percent

reporting so. The third most significant IT risk of greatest concern was

reported to be Advanced Persistent Threats.

In an environment of pervasive vulnerabilities, enterprises are learning

to remain vigilant about anomalous behavior pointing to an impending

attack from criminals. “Behavioral patterns that do not conform to the

usual rhythm of daily activity, often concurrent with large volumes of

traffic, are the hallmarks of a cyber-criminal,” Dr. Vincent Berk, CEO and

co-founder of Flowtraq, a Big Data cyber-security firm that specializes in

identifying behavioral patterns of cyber-criminals, told us. “A tell-tale

sign of an imminent cyber attack is unexpected network reconnaissance

activity,” he informed us. Human beings need to correlate several clues

emerging from the data analysis before drawing conclusions because

criminals learn new ways to evade surveillance.

Enterprises now recognize the importance of learning to recognize the

“fingerprints” of cyber-criminals from their behavior. A 2014 survey by

PriceWaterHouseCooper found that 20 percent of the respondents see

security information and event management tools as a priority and an

equal number event correlation as a priority. These technologies help to

recognize behavioral patterns of cyber-criminals.

“Scalability of Big Data solutions to identify the behavior of cyber-

criminals is the most daunting challenge.” Dr. Vincent Berk told us. “We

extract data from routers and switches anywhere in the pathway of data

flows in and out of the extended enterprise,” he explained to us. “The

fluidity of enterprise networks today with increasing virtualization and

recourse to the cloud makes it challenging to track them,” he informed

us. “Additionally, mergers and acquisitions add to the complexity as

more routers and switches have to be identified and monitored,” he

explained to us.

Dr. Berk underscored the importance of avoiding false positives which

could lead to denial of access to legitimate users of the network and

interruption of business activity. “Ideally, we want to monitor at a more

granular level, including the patterns of activity on each device in use,

and any departures from the norm to avoid false positives,” he told us.

The filter of human intelligence is still needed to isolate false positives.

“Granular monitoring is more accurate and has uncovered sophisticated

intruders who hide inside virtualized private networks (VPNs) or

encrypted data flows,” Dr. Berk revealed to us. Often, these

sophisticated attackers have been there for years unnoticed. “The VPNs

and the encryption are not cracked, but the data is analyzed to

understand why they are in the network,” Dr. Berk explained to us.

Cyber-security will increasingly be a battle of wits between intruders

and the victims. Big Data analysis notwithstanding, cyber-criminals will

find new ways to elude their hunters. The data analysis will provide

clues about the ever changing methods used by cyber-criminals and

means to guard against their attacks. The quality of human intelligence

on either side will determine who wins.

HTML5’s Private view

By Kishore Jethanandani

Mobile devices make their transition from personal devices to intimate

devices with HTML5. They can now potentially see, hear and sense the

world of smartphone users aided by APIs that open the doorways to the

cameras, microphones and the sensors in mobile devices. The cross-

platform capabilities of HTML5 also enable virtual peeping toms,

stalkers, and spies to snoop into the private world of smartphone users

while covering their tracks.

Sensors like accelerometers, gyroscopes, and compass, commonly

embedded in mobile devices, can record motion as well its direction and

slope. This data can help to determine the pathway of the user using

applications built on HTML5 for mobile devices. Using cross-site

scripting and Javascript, hackers can remotely gain access to the data.

Applications like Highster Mobile have been used to keep track of

movements of cheating spouses to verify their stories.

Remote tracking of mobile devices does not necessarily have the dark

motives of cyber-criminals. They are also widely used to track teenagers

and their risky behaviors with mobile devices. Location Labs now sells

the FamilyBase plan for alerting parents when their teenage children

are texting and driving. While intrusive, these kinds of applications can

even improve safety.

HTML5, designed for bandwidth efficiency, is used for real-time, cross-

platform, multi-user, interactive streaming applications that need

persistent connections for the transmission of small bits of data for

content like stock price updates. A typical use case is the trading

platform created by Interactive Brokers for day traders and hedge

funds. Users receive real-time quotes with charts on an iPad and other

mobile devices. The diversity of mobile devices calls for a cross-

platform solution that HTML5 can provide but not native applications.

Websocket, one of the platforms within HTML5, saves bandwidth use by

processing multiple requests for content with a single persistent

connection with minimal security overheads (the headers that

accompany every packet of data transmitted). By contrast, polling

makes multiple requests for content in real-time with traditional HTTP.

Similarly, several data streams flow in opposite directions with a single

connection. Since multiple data streams flow on a single connection,

Web sockets also open the way for distributed denial of service attacks

that are hard to control without the benefit of security overheads

commonly used with TCP connections.

Deep Content Inspection is the alternative method for securing

networks when multiple streams of data are flowing without the packet

security headers to filter for malware. This approach examines the

content inside packets to look for signs of criminal activity including

inspection of addresses and URLs of applications to ensure they are not

coming from disreputable sources. Additionally, the content flows are

parsed to uncover any lurking malicious intent that might be harmful to

the receiving servers.

HTML5 is indispensable in the emerging world of browser-to-browser,

data-rich multi-media communications prone to traffic spikes.

Cumbersome security inspection methods will impede new

applications. The alternative is to look for identifiers that are giveaways

of criminal activity. Security management will need to get a lot more

intelligent to be consistent with the needs of today’s applications.