How to keep your Smart Home safe

The Internet of Things (IoT) devices can help you save time and hassle and improve your quality of life. As an example, you can check the contents of your fridge and turn on the oven while at the grocery store thus saving money, uncertainty, and time when preparing dinner for your family. This is great and many people will benefit from features like these. However, as with all changes, along with the opportunity there are risks. Particularly there are risks to your online security and privacy but some of these risks extend to the physical World as well. As an example, the possibility to remotely open your front door lock for the plumber can be a great time saver but it also means that by hacking your cloud accounts it will be possible for also the hackers to open your door — and possibly sell access to your home on dark markets. And it’s not just about hacking: These gadgets collect data about what’s happening in your home and life and hence they themselves present a risk to your privacy.

Example of a smart home set up

Image: The above image shows a typical smart home configuration and the kinds of attacks it can face. While the smart home is not a target at the moment due to its low adoption rate and high fragmentation, all of the layers can be attacked with existing techniques.

If you are extremely worried about your privacy and security, the only way to really stay safe is to not buy and use these gadgets. However, for most people, the time-saving convenience benefits of IoT and the Smart Home will outweigh most privacy and security implications. Also, IoT devices are not widely targeted at the moment and even when they are, the attackers are after the computing power of the device — not yet your data or your home. Actually, the biggest risk right now comes from the way how the manufacturers of these devices handle your personal data. This all said, you shouldn’t just blindly jump in. There are some things that you can do to reduce the risks:

•  Do not connect these devices directly to public internet addresses. Use a firewall or at least a NAT (Network Address Translation) router in front of the devices to make sure they are not discoverable from the Internet. You should disable UPnP (Universal Plug and Play) on your router if you want to make sure the devices cannot open a port on your public internet address.

•  Go through the privacy and security settings of the device or service and remove everything you don’t need. For many of these devices the currently available settings are precious few, however. Shut down features you don’t need if you think they might have any privacy implications. For example, do you really use the voice commands feature in your Smart TV or gaming console? If you never use it, just disable it. You can always enable it back if you want to give the feature a try later.

•  When you register to the cloud service of the IoT device, use a strong and unique password and keep it safe. Change the password if you think there is a risk someone managed to spy it. Also, as all of these services allow for a password reset through your email account, make sure you secure the email account with a truly strong password and keep the password safe. Use 2-factor authentication (2FA) where available — and for most popular email services it is available today.

•  Keep your PCs, tablets, and mobile phones clear of malware. Malware often steals passwords and may hence steal the password to your smart home service or the email account linked to it. You need to install security software onto devices where you use the passwords, keep your software updated with the latest security fixes, and, as an example, make sure you don’t click on links or attachments in weird spam emails.

•  Think carefully if you really want to use remotely accessible smart locks on your home doors. If you’re one of those people who leave the key under the door mat or the flower pot, you’re probably safer with a smart lock, though.

•  If you install security cameras and nannycams, disconnect them from the network when you have no need for them. Consider doing the same for devices that constantly send audio from your home to the cloud unless you really do use them all the time. Remember that most IoT devices don’t have much computing power and hence the audio and video processing is most likely done on some server in the cloud.

•  Use encryption (preferably WPA2) in your home Wi-Fi. Use a strong Wi-Fi passphrase and keep it safe. Without a passphrase, with a weak passphrase, or when using an obsolete protocol such as WEP, your home Wi-Fi becomes an open network from a security perspective.

•  Be careful when using Open Wi-Fi networks such as the network in a coffee shop, a shopping mall, or a hotel. If you or your applications send your passwords in clear text, they can be stolen and you may become a victim of a Man-in-the-Middle (MitM) attack. Use a VPN application always when using Open Wi-Fi. Again, your passwords are they key to your identity and also to your personal Internet of Things.

•  Limit your attack surface. Don’t install devices you know you’re not going to need. Shut down and remove all devices that you no longer need or use. When you buy a top of the line washing machine, and you notice it can be connected through Wi-Fi, consider if you really want and need to connect it before you do. Disconnect the device from the network once you realize you actually don’t use the online features at all.

•  When selecting which manufacturer you buy your device from, check what they say about security and privacy and what their privacy principles are. Was the product rushed to the market and were any security corners cut? What is the motivation of the manufacturer to process your data? Do they sell it onwards to advertisers? Do they store any of your data and where do they store it?

•  Go to your home router settings today. Make sure you disable services that are exposed to the Internet — the WAN interface. Change the admin password to something strong and unique. Check that the DNS setting of the router points to your ISP’s DNS server or some open service like OpenDNS or Google DNS and hasn’t been tampered with.

•  Make sure you keep your router’s firmware up-to-date and consider replacing the router with a new one, especially, if the manufacturer no longer provides security updates. Consider moving away from a manufacturer that doesn’t do security updates or stops them after two years. The security of your home network starts from the router and the router is exposed to the Internet.

The above list of actions is extensive and maybe a bit on the “band-aid on the webcam”-paranoid side. However, it should give you an idea of what kinds of things you can do to stay in control of your security and privacy when taking a leap to the Internet of Things. Security in the IoT World is not that different from earlier: Your passwords are also very important in IoT as is the principle of deploying security patches and turning off services you don’t need.

On 02/03/15 At 10:11 PM

More here

Posted in Uncategorized | Leave a comment

The Equation Group Equals NSA / IRATEMONK

On December 29, 2013, Der Spiegel, a German weekly news magazine, published an article about an internal NSA catalogthat lists technology available to the NSA’s Tailored Access Operations (TAO). Among that technology is “IRATEMONK”.

“IRATEMONK provides software application persistence on desktop and laptop computers by implanting the hard drive firmware to gain execution through Master Boot Record (MBR) substitution.”

IRATEMONK, ANT Product Data
Source: Wikimedia

“This technique supports systems without RAID hardware that boot from a variety of Western Digital, Seagate, Maxtor, and Samsung hard drives.”

On January 31, 2014, Bruce Schneier deemed IRATEMONK his “NSA Exploit of the Day” which prompted this from Nicholas Weaver.

NCWeaver on IRATEMONK

“This is probably the most interesting of the BIOS-type implants.”

“yet the cost of evading the ‘boot from CD’ detection is now you have guaranteed ‘NSA WAS HERE‘ writ in big glowing letters if it ever IS detected.”

Well, funny story — components related to IRATEMONK have now been detected — by the folks at Kaspersky Labs. Kaspersky’s research paper refers to a threat actor called the “Equation group” whose country of origin is not named, but the group has exactly the capabilities detailed by the NSA’s ANT catalog.

Ars Technica has an excellent summary here: How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last.

On 17/02/15 At 01:20 PM

More here

Posted in Uncategorized | Leave a comment

NSA/GCHQ Hacks SIM Card Database and Steals Billions of Keys

The Intercept has an extraordinary story: the NSA and/or GCHQ hacked into the Dutch SIM card manufacturer Gemalto, stealing the encryption keys for billions of cell phones. People are still trying to figure out exactly what this means, but it seems to mean that the intelligence agencies have access to both voice and data from all phones using those cards.

Me in The Register: “We always knew that they would occasionally steal SIM keys. But all of them? The odds that they just attacked this one firm are extraordinarily low and we know the NSA does like to steal keys where it can.”

I think this is one of the most important Snowden stories we’ve read.

More newsstories. Slashdot thread. Hacker News thread.

More here

Posted in Uncategorized | Leave a comment

Database of Ten Million Passwords

Earlier this month, Mark Burnett released a database of ten million usernames and passwords. He collected this data from already-public dumps from hackers who had stolen the information; hopefully everyone affected has changed their passwords by now.

Newsarticles.

More here

Posted in Uncategorized | Leave a comment

Boards Not Briefed on Strategy?

I’d like to make a quick note on strategy, after reading After high-profile hacks, many companies still nonchalant about cybersecurity in the Christian Science Monitor today. The article says:

In a survey commissioned by defense contractor Raytheon of 1,006 chief information officers, chief information security officers, and other technology executives, 78 percent said their boards had not been briefed even once on their organization’s cybersecurity strategy over the past 12 months…

The findings are similar to those reported by PricewaterhouseCoopers in its Global State of Information Security Survey last year in which fewer that 42 percent of respondents said their board actively participates in overall security strategy.

Does this worry you? Do you want to introduce strategic thinking into your board discussion? If the answer is yes, consider these resources.

1. Check out my earlier blog posts on strategy, especially the first two articles.

2. Watch the keynote I delivered at ArchC0n last year. My section starts around 8:30.

3. For those who want to apply strategic thought to network security monitoring, I addressed that in a Webcast for O’Reilly last year.

At the end of the day, we need to be talking in strategic terms with business leaders, not technical terms. They are not having the conversations they need, and too few of us know how to speak a language that aligns with their interests and goals.

We need to convince boards and CxOs that we are understand their goals, and that security teams are implementing the correct strategy and running the right campaigns to achieve business objectives. We should not be talking to them about the tactics and tools to support the strategy and campaigns. Sell executives on your strategy, not your technical knowledge.

More here

Posted in Uncategorized | Leave a comment

Elevating the Discussion on Security Incidents

I am not a fan of the way many media sources cite “statistics” on digital security incidents. I’ve noted before that any “statistic” using the terms “millions” or “billions” to describe “attacks” is probably worthless.

This week, two articles on security incidents caught my attention. First, I’d like to discuss the story at left, published 17 February in The Japan Times, titled Cyberattacks detected in Japan doubled to 25.7 billion in 2014. It included the following:

The number of computer attacks on government and other organizations detected in Japan doubled in 2014 from the previous year to a record 25.66 billion, a government agency said Tuesday.

The National Institute of Information and Communications Technology used around 240,000 sensors to detect cyberattacks…

Among countries to which perpetrators’ Internet Protocol addresses were traced, China accounted for the largest share at 40 percent, while South Korea, Russia and the United States also ranked high.

NICT launched a survey on cyberattacks in Japan in 2005, when the number of such incidents stood at around 310 million. The number rose to about 5.65 billion in 2010 and to 7.79 billion in 2012.

25.66 billion “computer attacks”? That seems ridiculous at first glance. Based on observations from “around 240,000 sensors,” that’s over 100,000 “attacks” per sensor per year, or nearly 300 per sensor per day. That still seems excessive, although getting closer to an order of magnitude that might make sense.

You might find the trend line more interesting, i.e., 310 million to 5.65 billion to 7.79 billion to 25.66 billion. However, it is important to adjust for increased visibility at each point. I doubt that 240,000 sensors were operating prior to 2014.

(On a secondary note, I’m not thrilled by the section saying that Chinese IP addresses accounted for 40% of the “attacks.” While that may be a “fact,” it doesn’t say anything by itself that helps with attribution.)

Nevertheless, talking about individual “attacks,” especially when counting them discretely, is outmoded thinking, in my opinion. “Attacks” could include anything from transmitting a TCP segment to a specific port, to attempting SQL injection on a Web site, to sending a phishing email.

If properly defined, “attacks” become somewhat interesting, but their value as indicators should extend beyond being simple atomic events.

I was much more encouraged by the second article, at right, published 18 February by Reuters, titled Lockheed sees double-digit growth in cyber business. It included the following:

[Chief Executive Officer Marillyn] Hewson told the company’s annual media day that Lockheed had faced 50“coordinated, sophisticated campaign” attacks by hackers in 2014 alone, and she expected those threats to continue growing.

The use of the term “campaign” is significant here. Campaign aligns with the operational level of war, between Tactics and Strategy. (Tactics are employed as actions at the individual battle or skirmish level, while Strategy describes matching ways and means to achieve specific ends. See my posts on strategy for more.)

Campaigns are sets of activities pursued over days, weeks, months, and even years to accomplish strategic and policy goals. The term campaign indicates purpose, applied over an extended period of time. When the LM CEO speaks in these terms, she shows that her security team is thinking at an advanced level, likely aligning campaigns with specific threat actors and motives.

When a CEO talks about 50 campaigns, she can have a more meaningful discussion with the executives and board. She can talk about threat actors behind the campaigns, what happened during each campaign, and how the team detected and responded to them. The term Campaign also matches well with business operations; think of “marketing campaigns,”"sales campaigns,” etc.

I would very much like to see security teams, officials, and others think and talk about campaigns in the future, and place statistics on “attacks” in proper context. Note that some threat researchers talk about campaigns when they write reports on adversary activity, so that is a good sign already.

More here

Posted in Uncategorized | Leave a comment

The Equation Group’s Sophisticated Hacking and Exploitation Tools

This week, Kaspersky Labs published detailedinformation on what it calls the Equation Group — almost certainly the NSA — and its abilities to embed spyware deep inside computers, gaining pretty much total control of those computers while maintaining persistence in the face of reboots, operating system reinstalls, and commercial anti-virus products. The details are impressive, and I urge anyone interested to read the Kaspersky documents, or this very detailed article from Ars Technica.

Kaspersky doesn’t explicitly name the NSA, but talks about similarities between these techniques and Stuxnet, and points to NSA-like codenames. A related Reuters story provides more confirmation: “A former NSA employee told Reuters that Kaspersky’s analysis was correct, and that people still in the intelligence agency valued these spying programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it.”

In some ways, this isn’t news. We saw examples of these techniques in 2013, when Der Spiegelpublished details of the NSA’s 2008 catalog of implants. (Aside: I don’t believe the person who leaked that catalog is Edward Snowden.) In those pages, we saw examples of malware that embedded itself in computers’ BIOS and disk drive firmware. We already know about the NSA’s infection methods using packet injection and hardware interception.

This is targeted surveillance. There’s nothing here that implies the NSA is doing this sort of thing to every computer, router, or hard drive. It’s doing it only to networks it wants to monitor. Reuters again: “Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said.” A map of the infections Kaspersky found bears this out.

On one hand, it’s the sort of thing we want the NSA to do. It’s targeted. It’s exploiting existing vulnerabilities. In the overall scheme of things, this is muchless disruptive to Internet security than deliberately inserting vulnerabilities that leave everyone insecure.

On the other hand, the NSA’s definition of “targeted” can be pretty broad. We know that it’s hacked the Belgian telephone company and the Brazilian oil company. We know it’s collected every phone call in the Bahamas and Afghanistan. It hacks system administrators worldwide.

On the other other hand — can I even have three hands? — I remember a line from my latest book: “Today’s top-secret programs become tomorrow’s PhD theses and the next day’s hacker tools.” Today, the Equation Group is“probably the most sophisticated computer attack group in the world,” but these techniques aren’t magically exclusive to the NSA. We know China uses similar techniques. Companies like Gamma Group sell less sophisticated versions of the samethings to Third World governments worldwide. We need to figure out how to maintain security in the face of these sorts of attacks, because we’re all going to be subjected to the criminal versions of them in three to five years.

That’s the real problem. Steve Bellovin wrote about this:

For more than 50 years, all computer security has been based on the separation between the trusted portion and the untrusted portion of the system. Once it was “kernel” (or “supervisor”) versus “user” mode, on a single computer. The Orange Book recognized that the concept had to be broader, since there were all sorts of files executed or relied on by privileged portions of the system. Their newer, larger category was dubbed the “Trusted Computing Base” (TCB). When networking came along, we adopted firewalls; the TCB still existed on single computers, but we trusted “inside” computers and networks more than external ones.

There was a danger sign there, though few people recognized it: our networked systems depended on other systems for critical files….

The National Academies report Trust in Cyberspace recognized that the old TCB concept no longer made sense. (Disclaimer: I was on the committee.) Too many threats, such as Word macro viruses, lived purely at user level. Obviously, one could have arbitrarily classified word processors, spreadsheets, etc., as part of the TCB, but that would have been worse than useless; these things were too large and had no need for privileges.

In the 15+ years since then, no satisfactory replacement for the TCB model has been proposed.

We have a serious computer security problem. Everything depends on everything else, and security vulnerabilities in anything affects the security of everything. We simply don’t have the ability to maintain security in a world where we can’t trust the hardware and software we use.

This article was originally published at the Lawfare blog.

EDITED TO ADD (2/17): Slashdot thread. Hacker News thread. Reddit thread. BoingBoing discussion.

EDITED TO ADD (2/18): Here areare two academic/hacker presentations on exploiting hard drives. And another article.

More here

Posted in Uncategorized | Leave a comment

Suggestion for Interviewing Technical Hires

Thanks to a Tweet by Peter Singer, I read an article at Forbes titled Maldrone: Watch Malware That Wants To Spread Its Wings Kill A Drone Mid-Flight. This article is interesting in its own right, but it linked to a late 2013 project by Samy Kamkar called SkyJack.

Samy’s project links to a video where he describes software that enables a Parrot drone to “autonomously seek out, hack, and wirelessly take full control over any other Parrot drones within wireless or flying distance, creating an army of zombie drones under your control.”

That is all really cool by itself. However, when watching the video, I realized that it incorporates many different elements of IT and security. Samy put many different tools, tactics, and hardware to work in order to accomplish his drone hijack goal. I began to wonder what it would take for someone to follow along and understand each step of the process.

I remembered the sorts of questions my leadership team and I used to ask of new hires. If you are confronted by similar challenges, keep this video in mind. I suggest that during a technical interview, ask the participant to watch Samy’s video. After the video finishes, ask the candidate to explain how Samy’s system works. The ability to “digest” the entire system, and teach it back to you, is a marker for their technical and explanatory abilities.

If the candidate can explain the attack and its components, I would ask:

  • How could you prevent the attack?
  • How could you detect the attack?
  • How could you respond to the attack?
Depending on the candidate and your interests, you might even have the proposed hire examine the code and work with that aspect of the system.

Have you seen other videos which could serve similar functions?

More here

Posted in Uncategorized | Leave a comment

Thoughts from Senate Testimony

Yesterday I testified to the Senate Homeland Security and Government Affairs committee at a hearing on Protecting America from Cyber Attacks: The Importance of Information Sharing. I’d like to share a few thoughts about the experience. You may find these comments helpful if you are asked to testify, or want to help someone testify, or want to influence the legislative process.

This was my fifth appearance at a government hearing. In 2012 I apepared before the U.S.-China Economic and Security Review Commission, and in 2013 I appeared before the Senate Armed Services Committee, the House Committee on Homeland Security, and the House Committee on Foreign Affairs.

The process starts with a request from committee staff. They asked if I would be available and willing to testify. If I decide to decline, they would generally not force me to appear. The exception would be some sort of adversarial hearing. On the contrary, this sort of hearing is intended to educate the legislators and the public about a certain topic.

Two days prior to the hearing I had to submit written testimony, available here as a PDF. Writing this document wasn’t easy. The committee staff asked me to address specific questions about adversaries and threat intelligence. I had to strike a tone and write in a way that would be accessible to the Senators and staffers, while conveying the right information.

I spoke in one of the conference rooms in the Dirksen Senate office building. The location is open to the public, but you have to pass through a metal detector. There was room for about 100 people in the chamber. The attendees are a mix of press, staffers, and interested citizens, along with the witnesses and our colleagues.

The hearing starts when the chairman decides to begin. Senators and staffs enter and leave as they wish. Votes were happening during the hearing, so Senators leave to vote. A camera, shown in the lower left of the picture above, records the event and broadcasts it to the Senator’s offices. They can watch remotely, in other words. A court stenographer seated in the well creates a transcript in real time.

As you can see in the picture at left, I had to raise my right hand and swear to tell the truth before the committee. This was the first time I had to do that. Chairman Johnson said it was a committee tradition.

This was the first hearing of the new Congress, and some of the members were new to the Committee. The Chairman instructed them on the order for asking questions. Each got 5 minutes.

Witnesses had 6 minutes each for opening statements. In front of each witness is a microphone and an old-school digital timer. When you have a minute left, the light changes from green to yellow. When your time ends, the clock starts counting up from zero, and the light changes to red.

I had my statement ready to go, but the first witness ended about 2 minutes early. This set a possible expectation that we would all have to finish early. I started crossing out sections of my statement in order to limit the time I needed to finish.

When I spoke, I kept to my script, but I added color for certain points based on what I heard earlier. I also emphasized a few points based on my sense of the Senators’ interest level.

After all the witnesses spoke, we answered questions from the Senators. I thought they asked good questions. They tended to stick with the content of the hearing, namely information sharing. At other appearances I have fielded questions on many aspects of “cyber security.” I think the legislators are making progress trying to understand the issues.

One issue I didn’t mention in my statement involved the Computer Fraud and Abuse Act (CFAA). I thought of the CFAA based on reactions from the security community, mainly in blog posts and Tweets. Chairman Johnson asked what obstacles he should expect when trying to pass threat intelligence sharing legislation. I responded that there is a trust deficit in the security community. I thought that reform of the CFAA to address some of the security community’s concerns would help build goodwill and reduce opposition to other security-themed legislation. I reinforced this point after the hearing when Senators Johnson and Carper spoke privately with the witnesses.

It is important to know that legislators aren’t just interested in complaints about their proposals. They are much more likely to want suggested language to change the proposal. That is the best case for both parties.

Sometimes it’s not possible to identify a legislative solution to a problem. Sometimes legislation is not appropriate. I made this point when I said that we didn’t need greater penalties for “hacking.” I think we need reformed hacking laws that are enforced. I also said that it’s better for the government to focus on inherently government functions, like law enforcement, that are denied to the private sector.

If you have any questions, please post them here or ask via Twitter to @taosecurity.

More here

Posted in Uncategorized | Leave a comment

My Conversation with Edward Snowden

Today, as part of a Harvard computer science symposium, I had a public conversation with Edward Snowden. The topics were largely technical, ranging from cryptography to hacking to surveillance to what to do now.

Here’s the video.

EDITED TO ADD (1/24): News article.

More here

Posted in Uncategorized | Leave a comment