Login
Article tags
Fitness trackers worn on the wrist, glucose monitors that test blood sugar without a prick, and connected toothbrushes that let you know when you’ve missed a spot—welcome to internet-connected healthcare. It’s a new realm of care with breakthroughs big and small. Some you’ll find in your home, some you’ll find inside your doctor’s office, yet all of them are connected. Which means they all need to be protected. After all, they’re not tracking any old data. They’re tracking our health data, one of the most precious things we own.
Internet-connected healthcare, also known as connected medicine, is a broad topic. On the consumer side, it covers everything from smart watches that track health data to wireless blood pressure monitors that you can use at home. On the practitioner side, it accounts for technologies ranging from electronic patient records, network-enabled diagnostic devices, remote patient monitoring in the form of wearable devices, apps for therapy, and even small cameras that can be swallowed in the form of a pill to get a view of a patient’s digestive system.
Additionally, it also includes telemedicine visits, where you can get a medical issue diagnosed and treated remotely via your smartphone or computer by way of a video conference or a healthcare provider’s portal—which you can read about more in one of my blogs. In all, big digital changes are taking place in healthcare—a transformation that’s rapidly taking shape to the tune of a global market expected to top USD 534.3 billion by 2025.
Advances in digital healthcare have come more slowly compared to other aspects of our lives, such as consumer devices like phones and tablets. Security is a top reason why. Not only must a healthcare device go through a rigorous design and approval process to ensure it’s safe, sound, and effective, but it’s also held to similar rigorous degrees of regulation when it comes to medical data privacy. For example, in the U.S., we have the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which sets privacy and security standards for certain health information.
Taken together, this requires additional development time for any connected medical device or solution, in addition to the time it takes to develop one with the proper efficacy. Healthcare device manufacturers cannot simply move as quickly as, say, a smartphone manufacturer can. And rightfully so.
However, for this blog, we’ll focus on the home and personal side of the equation, with devices like fitness trackers, glucose monitors, smartwatches, and wearable devices in general—connected healthcare devices that more and more of us are purchasing on our own. To be clear, while these devices may not always be categorized as healthcare devices in the strictest (and regulatory) sense, they are gathering your health data, which you should absolutely protect. Here are some straightforward steps you can take:
1) First up, protect your phone
Many medical IoT devices use a smartphone as an interface, and as a means of gathering, storing, and sharing health data. So whether you’re an Android owner or iOS owner, get security software installed on your phone so you can protect all the things it accesses and controls. Additionally, installing it will protect you and your phone in general as well.
2) Set strong, unique passwords for your medical IoT devices
Some IoT devices have found themselves open to attack because they come with a default username and password—which are often published on the internet. When you purchase any IoT device, set a fresh password using a strong method of password creation. And keep those passwords safe. Instead of keeping them in a notebook or on sticky notes, consider using a password manager.
3) Use two-factor authentication
You’ve probably come across two-factor authentication while banking, shopping, or logging into any other number of accounts. Using a combination of your username, password, and a security code sent to another device you own (typically a mobile phone) makes it tougher for hackers to crack your device. If your IoT device supports two-factor authentication, use it for extra security.
4) Update your devices regularly
This is vital. Make sure you have the latest updates so that you get the latest functionality from your device. Equally important is that updates often contain security upgrades. If you can set your device to receive automatic updates, do so.
5) Secure your internet router
Your medical IoT device will invariably use your home Wi-Fi network to connect to the internet, just like your other devices. All the data that travels on there is personal and private, and that goes double for any health data that passes along it. Make sure you use a strong and unique password. Also, change the name of your router so it doesn’t give away your address or identity. One more step is to check that your router is using an encryption method, like WPA2, which will keep your signal secure. You may also want to consider investing in an advanced internet router that has built-in protection, which can secure and monitor any device that connects to your network.
6) Use a VPN and a comprehensive security solution
Similar to the above, another way you can further protect the health data you send over the internet is to use a virtual private network, or VPN. A VPN uses an encrypted connection to send and receive data, which shields it from prying eyes. A hacker attempting to eavesdrop on your session will effectively see a mishmash of garbage data, which helps keep your health data secure.
7) When purchasing, do your research
Read up on reviews and comments about the devices you’re interested in, along with news articles about their manufacturers. See what their track record is on security, such as if they’ve exposed data or otherwise left their users open to attack.
Bottom line, when we speak of connected healthcare, we’re ultimately speaking about one of the most personal things you own: your health data. That’s what’s being collected. And that’s what’s being transmitted by your home network. Take these extra measures to protect your devices, data, and yourself as you enjoy the benefits of the connected care you bring into your life and home.
The post How to Protect Your Internet-Connected Healthcare Devices appeared first on McAfee Blog.
ST Smart Things Sentinel is an advanced security tool engineered specifically to scrutinize and detect threats within the intricate protocols utilized by IoT (Internet of Things) devices. In the ever-expanding landscape of connected devices, ST Smart Things Sentinel emerges as a vigilant guardian, specializing in protocol-level threat detection. This tool empowers users to proactively identify and neutralize potential security risks, ensuring the integrity and security of IoT ecosystems.
~ Hilali Abdel
USAGE
python st_tool.py [-h] [-s] [--add ADD] [--scan SCAN] [--id ID] [--search SEARCH] [--bug BUG] [--firmware FIRMWARE] [--type TYPE] [--detect] [--tty] [--uart UART] [--fz FZ]
[Add new Device]
python3 smartthings.py -a 192.168.1.1
python3 smarthings.py -s --type TPLINK
python3 smartthings.py -s --firmware TP-Link Archer C7v2
Search for CVE and Poc [ firmware and device type]
Scan device for open upnp ports
python3 smartthings.py -s --scan upnp --id
get data from mqtt 'subscribe'
python3 smartthings.py -s --scan mqtt --id
As of the writing of this article, the height of the pandemic seems like a distant but still vivid dream. Sanitizing packages, sparse grocery shelves, and video conferencing happy hours are things of the past for the majority of the population. Thank goodness.
A “new normal” society is adapting to today’s working culture. The work landscape changed significantly since 2020, and it might never return to what it once was. In 2022, workers spent an average 3.5 days in the office per week, which is 30% below the prepandemic in-office average.1
The work-from-home movement is likely here to stay, to the joy of employees seeking a better work-life balance and flexibility; however, some responsibility does fall upon people like you to secure home offices to protect sensitive company information.
To make sure you’re not the weak cyber link in your company’s security, make sure to follow these three tips for a secure home office.
When you’re not physically in front of your work computer, best practices dictate that you lock the screen or put your device to sleep. No matter how much you trust your family, roommates, or the trustworthy-looking person seated next to you at a café, your company device houses all kinds of corporate secrets. A stray glance from the wrong person could put that information’s secrecy in jeopardy. Plus, imagine your cat walking across your keyboard or a toddler mashing your mouse, deleting hours’ worth of work. Disastrous.
Then, when you’re done with work for the day, stow your device in a secure location, preferably a drawer with a lock. Even if your work computer is 10 times faster and sleeker than your personal laptop, keep each device in its designated sphere in your life: work devices only for work, personal devices only for personal activities.
Wi-Fi networks that are not password protected invite anyone off the street to surf on your network and eavesdrop on your online activities. A stranger sneaking on to your home Wi-Fi could be dangerous to your workplace. There would be very little stopping a stranger from spying on your connected work devices and spreading confidential information onto the dark web or leaking company secrets to the media.
There are a few steps you can take to secure your home office’s internet connection. First, make sure to change the default name and password of your router. Follow password best practices to create a strong first defense. For your router name, choose an obscure inside joke or a random pairing of nouns and adjectives. It’s best to omit your address and your real name as the name of your router, because that could alert a cybercriminal that that network belongs to you. Better yet, you can hide your router completely from strangers and only make it searchable to people who know the exact name of your network.
For an additional layer of protection, connect to a virtual private network (VPN). Your company may offer a corporate VPN. If not, signing up for your own VPN is easy. A VPN encrypts the traffic coming in and going out of your devices making it nearly impossible for a cybercriminal to burst into your online session and see what’s on your screen.
The scenarios outlined in your company’s security training may seem far-fetched, but the concepts of those boring corporate videos actually happen! For example, the huge Colonial Pipeline breach in 2021 originated from one employee who didn’t secure the company’s VPN with multifactor authentication (MFA).2 Cutting small corners like disabling MFA – which is such a basic and easy-to-use security measure – can have dire consequences.
Pay attention to your security training and make sure to follow all company cybersecurity rules and use security tools as your IT team intends. For example, if your company requires that everyone use a password manager, a corporate VPN, and multi-factor authentication, do so! And use them correctly every workday!
These tips are essential to a secure home office, but they’re also applicable to when you’re off the clock. Password- or passcode-protecting your personal laptop, smartphone, and tablet keeps prying eyes out of your devices, which actually hold more personally identifiable information (PII) than you may think. Password managers, a secure router, VPNs, and safe browsing habits will go a long way toward maintaining your online privacy.
To fill in the cracks to better protect your home devices and your PII, partner with McAfee+. McAfee+ includes a VPN, safe browsing tool, identity monitoring and remediation services, a password manager, and more for a more secure digital life.
In one global survey, 68% of people prefer hybrid work models, and nearly three-quarters of companies allow employees to work from home some of the time.3,4 The flexibility afforded by hybrid work and 100% work-from-home policies is amazing. Cutting out the time and cost of commuting five days a week is another bonus. Let’s make at-home work a lasting and secure way of professional life!
1McKinsey Global Institute, “How hybrid work has changed the way people work, live, and shop”
2The Hacker News, “Hackers Breached Colonial Pipeline Using Compromised VPN Password”
3World Economic Forum, “Hybrid working: Why there’s a widening gap between leaders and employees”
4International Foundation of Employee Benefit Plans, “Employee Benefits Survey: 2022 Results”
The post The Future of Work: How Technology & the WFH Landscape Are Making an Impact appeared first on McAfee Blog.
People who use devices like smart cameras and Wi-Fi-enabled baby monitors should strongly consider taking the following steps to protect their devices:
1. Update your devices. Manufacturers often advise consumers to update their software to the latest version and enable further security features. Updating your devices regularly increases the chances that you’ll receive security improvements soon after they become available.
2. Do not connect to your smart cameras, baby monitors, and other devices through public Wi-Fi. Accessing these devices via a smartphone app from an unprotected network can compromise the security of your devices. Use a VPN or a secure cellular data connection instead.
3. Use strong, unique passwords. Every device of yours should have one, along with a unique username to go along with it. In some cases, connected devices ship with default usernames and passwords, making them that much easier to hack.
With those immediate steps in place, this security advisory offers you a chance to take a fresh look at your network and device security overall. With these straightforward steps in place, you’ll be more protected against such events in the future—not to mention more secure in general.
Our banks, many of the online shopping sites we use, and numerous other accounts use two-factor authentication to help validate that we’re who we say we are when logging in. In short, a username and password combo is an example of one-factor authentication. The second factor in the mix is something you, and only you, own or control, like your mobile phone. Thus, when you log in and get a prompt to enter a security code that’s sent to your mobile phone, you’re taking advantage of two-factor authentication. If your IoT device supports two-factor authentication as part of the login procedure, put it to use and get that extra layer of security.
Your router acts as the internet’s gateway into your home. From there, it works as a hub that connects all your devices—computers, tablets, and phones, along with your IoT devices as well. That means it’s vital to keep your router secure. A quick word about routers: you typically access them via a browser window and a specific address that’s usually printed somewhere on your router. Whether you’re renting your router through your internet provider or have purchased one, the internet provider’s “how to” guide or router documentation can step you through this process.
The first thing to do is change the default password of your router if you haven’t done so already. Again, use a strong method of password creation. Also, change the name of your router. When you choose a new one, go with name that doesn’t give away your address or identity. Something unique and even fun like “Pizza Lovers” or “The Internet Warehouse” are options that mask your identity and are memorable for you too. While you’re making that change, you can also check that your router is using an encryption method, like WPA2, which helps secure communications to and from your router. If you’re unsure what to do, reach out to your internet provider or router manufacturer.
Just as you can offer your human guests secure access that’s separate from your own devices, creating an additional network on your router allows you to keep your computers and smartphones separate from IoT devices. This way, if an IoT device is compromised, a hacker will still have difficulty accessing your other devices, like computers and smartphones, along with the data and info that you have stored on them. You may also want to consider investing in an advanced internet router that has built-in protection and can secure and monitor any device that connects to your network.
We mentioned this above, yet it’s so important that it calls for a second mention: make sure you have the latest software updates for your IoT devices. That will make sure you’re getting the latest functionality from your device, and updates often contain security upgrades. If there’s a setting that lets you receive automatic updates, enable it so that you always have the latest.
You’ve probably seen that you can control a lot of your connected things with your smartphone. We’re using them to set the temperature, turn our lights on and off, and even see who’s at the front door. With that, it seems like we can add the label “universal remote control” to our smartphones—so protecting our phones has become yet more important. Whether you’re an Android or iOS device user, get security software installed on your phone so you can protect all the things it accesses and controls—in addition to you and the phone as well.
Using a strong suite of security software like McAfee+ Advanced, can help defend your entire family from the latest threats and malware, make it safer to browse, and look out for your privacy too.
The post How to Protect Your Smart Cameras and Wi-Fi Baby Monitors appeared first on McAfee Blog.
Researchers this month uncovered a two-year-old Linux-based remote access trojan dubbed AVrecon that enslaves Internet routers into botnet that bilks online advertisers and performs password-spraying attacks. Now new findings reveal that AVrecon is the malware engine behind a 12-year-old service called SocksEscort, which rents hacked residential and small business devices to cybercriminals looking to hide their true location online.
Image: Lumen’s Black Lotus Labs.
In a report released July 12, researchers at Lumen’s Black Lotus Labs called the AVrecon botnet “one of the largest botnets targeting small-office/home-office (SOHO) routers seen in recent history,” and a crime machine that has largely evaded public attention since first being spotted in mid-2021.
“The malware has been used to create residential proxy services to shroud malicious activity such as password spraying, web-traffic proxying and ad fraud,” the Lumen researchers wrote.
Malware-based anonymity networks are a major source of unwanted and malicious web traffic directed at online retailers, Internet service providers (ISPs), social networks, email providers and financial institutions. And a great many of these “proxy” networks are marketed primarily to cybercriminals seeking to anonymize their traffic by routing it through an infected PC, router or mobile device.
Proxy services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are massively abused for hiding cybercrime activity because they make it difficult to trace malicious traffic to its original source. Proxy services also let users appear to be getting online from nearly anywhere in the world, which is useful if you’re a cybercriminal who is trying to impersonate someone from a specific place.
Spur.us, a startup that tracks proxy services, told KrebsOnSecurity that the Internet addresses Lumen tagged as the AVrecon botnet’s “Command and Control” (C2) servers all tie back to a long-running proxy service called SocksEscort.
SocksEscort[.]com, is what’s known as a “SOCKS Proxy” service. The SOCKS (or SOCKS5) protocol allows Internet users to channel their Web traffic through a proxy server, which then passes the information on to the intended destination. From a website’s perspective, the traffic of the proxy network customer appears to originate from a rented/malware-infected PC tied to a residential ISP customer, not from the proxy service customer.
The SocksEscort home page says its services are perfect for people involved in automated online activity that often results in IP addresses getting blocked or banned, such as Craigslist and dating scams, search engine results manipulation, and online surveys.
Spur tracks SocksEscort as a malware-based proxy offering, which means the machines doing the proxying of traffic for SocksEscort customers have been infected with malicious software that turns them into a traffic relay. Usually, these users have no idea their systems are compromised.
Spur says the SocksEscort proxy service requires customers to install a Windows based application in order to access a pool of more than 10,000 hacked devices worldwide.
“We created a fingerprint to identify the call-back infrastructure for SocksEscort proxies,” Spur co-founder Riley Kilmer said. “Looking at network telemetry, we were able to confirm that we saw victims talking back to it on various ports.”
According to Kilmer, AVrecon is the malware that gives SocksEscort its proxies.
“When Lumen released their report and IOCs [indicators of compromise], we queried our system for which proxy service call-back infrastructure overlapped with their IOCs,” Kilmer continued. “The second stage C2s they identified were the same as the IPs we labeled for SocksEscort.”
Lumen’s research team said the purpose of AVrecon appears to be stealing bandwidth – without impacting end-users – in order to create a residential proxy service to help launder malicious activity and avoid attracting the same level of attention from Tor-hidden services or commercially available VPN services.
“This class of cybercrime activity threat may evade detection because it is less likely than a crypto-miner to be noticed by the owner, and it is unlikely to warrant the volume of abuse complaints that internet-wide brute-forcing and DDoS-based botnets typically draw,” Lumen’s Black Lotus researchers wrote.
Preserving bandwidth for both customers and victims was a primary concern for SocksEscort in July 2022, when 911S5 — at the time the world’s largest known malware proxy network — got hacked and imploded just days after being exposed in a story here. Kilmer said after 911’s demise, SocksEscort closed its registration for several months to prevent an influx of new users from swamping the service.
Danny Adamitis, principal information security researcher at Lumen and co-author of the report on AVrecon, confirmed Kilmer’s findings, saying the C2 data matched up with what Spur was seeing for SocksEscort dating back to September 2022.
Adamitis said that on July 13 — the day after Lumen published research on AVrecon and started blocking any traffic to the malware’s control servers — the people responsible for maintaining the botnet reacted quickly to transition infected systems over to a new command and control infrastructure.
“They were clearly reacting and trying to maintain control over components of the botnet,” Adamitis said. “Probably, they wanted to keep that revenue stream going.”
Frustratingly, Lumen was not able to determine how the SOHO devices were being infected with AVrecon. Some possible avenues of infection include exploiting weak or default administrative credentials on routers, and outdated, insecure firmware that has known, exploitable security vulnerabilities.
KrebsOnSecurity briefly visited SocksEscort last year and promised a follow-up on the history and possible identity of its proprietors. A review of the earliest posts about this service on Russian cybercrime forums suggests the 12-year-old malware proxy network is tied to a Moldovan company that also offers VPN software on the Apple Store and elsewhere.
SocksEscort began in 2009 as “super-socks[.]com,” a Russian-language service that sold access to thousands of compromised PCs that could be used to proxy traffic. Someone who picked the nicknames “SSC” and “super-socks” and email address “michvatt@gmail.com” registered on multiple cybercrime forums and began promoting the proxy service.
According to DomainTools.com, the apparently related email address “michdomain@gmail.com” was used to register SocksEscort[.]com, super-socks[.]com, and a few other proxy-related domains, including ip-score[.]com, segate[.]org seproxysoft[.]com, and vipssc[.]us. Cached versions of both super-socks[.]com and vipssc[.]us show these sites sold the same proxy service, and both displayed the letters “SSC” prominently at the top of their homepages.
Image: Archive.org. Page translation from Russian via Google Translate.
According to cyber intelligence firm Intel 471, the very first “SSC” identity registered on the cybercrime forums happened in 2009 at the Russian language hacker community Antichat, where SSC asked fellow forum members for help in testing the security of a website they claimed was theirs: myiptest[.]com, which promised to tell visitors whether their proxy address was included on any security or anti-spam block lists.
Myiptest[.]com is no longer responding, but a cached copy of it from Archive.org shows that for about four years it included in its HTML source a Google Analytics code of US-2665744, which was also present on more than a dozen other websites.
Most of the sites that once bore that Google tracking code are no longer online, but nearly all of them centered around services that were similar to myiptest[.]com, such as abuseipdb[.]com, bestiptest[.]com, checkdnslbl[.]com, dnsbltools[.]com and dnsblmonitor[.]com.
Each of these services were designed to help visitors quickly determine whether the Internet address they were visiting the site from was listed by any security firms as spammy, malicious or phishous. In other words, these services were designed so that proxy service users could easily tell if their rented Internet address was still safe to use for online fraud.
Another domain with the Google Analytics code US-2665744 was sscompany[.]net. An archived copy of the site says SSC stands for “Server Support Company,” which advertised outsourced solutions for technical support and server administration.
Leaked copies of the hacked Antichat forum indicate the SSC identity registered on the forum using the IP address 71.229.207.214. That same IP was used to register the nickname “Deem3n®,” a prolific poster on Antichat between 2005 and 2009 who served as a moderator on the forum.
There was a Deem3n® user on the webmaster forum Searchengines.guru whose signature in their posts says they run a popular community catering to programmers in Moldova called sysadmin[.]md, and that they were a systems administrator for sscompany[.]net.
That same Google Analytics code is also now present on the homepages of wiremo[.]co and a VPN provider called HideIPVPN[.]com.
Wiremo sells software and services to help website owners better manage their customer reviews. Wiremo’s Contact Us page lists a “Server Management LLC” in Wilmington, DE as the parent company. Server Management LLC is currently listed in Apple’s App Store as the owner of a “free” VPN app called HideIPVPN.
“The best way to secure the transmissions of your mobile device is VPN,” reads HideIPVPN’s description on the Apple Store. “Now, we provide you with an even easier way to connect to our VPN servers. We will hide your IP address, encrypt all your traffic, secure all your sensitive information (passwords, mail credit card details, etc.) form [sic] hackers on public networks.”
When asked about the company’s apparent connection to SocksEscort, Wiremo responded, “We do not control this domain and no one from our team is connected to this domain.” Wiremo did not respond when presented with the findings in this report.
It’s only a smart lightbulb. Why would anyone want to hack that?
Great question. Because it gets to the heart of security matters for your IoT smart home devices.
Internet of Things (IoT) devices have certainly made themselves at home in recent years. Once a novelty, they’ve become far more commonplace. The numbers bear that out. Recent research indicates that the average U.S. household has 20.2 connected devices. Europe has 17.4 on average, while Japan trails at 10.3.
Of course, those figures largely account for computers, tablets, phones, and internet-connected smart TVs. Yet the study uncovered a sizable jump in the presence of other smart devices.
Comparing 2022 to 2021, smart homes worldwide had:
Consider that connected devices in the home rose just 10% globally during the same timeframe. It’s clear that IoT smart home device ownership is on the upswing. Yet has security kept up with all that growth?
That security question brings us back to the lightbulb.
An adage in security is this: if a device gets connected, it gets protected. And that protection has to be strong because a network is only as secure as its weakest link. Unfortunately, many IoT devices are indeed the weakest security links on home networks.
Some recent research sheds light on what’s at stake. Cybersecurity teams at the Florida Institute of Technology found that companion apps for several big brand smart devices had security flaws. Of the 20 apps linked to connected doorbells, locks, security systems, televisions, and cameras they studied, 16 had “critical cryptographic flaws” that might allow attackers to intercept and modify their traffic. These flaws might lead to the theft of login credentials and spying, the compromise of the connected device, or the compromise of other devices and data on the network.
Over the years, our research teams at McAfee Labs have uncovered similar security vulnerabilities in other IoT devices like smart coffee makers and smart wall plugs.
Vulnerabilities such as these have the potential to compromise other devices on the network.
Let’s imagine a smart lightbulb with poor security measures. As part of your home network, a motivated hacker might target it, compromise it, and gain access to the other devices on your network. In that way, a lightbulb might lead to your laptop—and all the files and data on it.
So yes, someone might be quite interested in hacking your lightbulb.
One Friday morning in 2016, great swathes of the American internet ground to a halt.
Major websites and services became unresponsive as internet directory services got flooded with millions and millions of malicious requests. As such, millions and millions of people were affected, along with public agencies and private businesses alike. Behind it, a botnet. An internet drone army of compromised IOT devices like digital video recorders and webcams.
Known as the Mirai botnet, its initial purpose was to target Minecraft game servers. Essentially to “grief” innocent players. Yet it later found its way into other hands. From there, it became among the first high-profile botnet attacks on the internet.
Botnet attacks can be small and targeted, such as when bad actors want to target a certain business (or game servers). And they can get as large as Mirai did. Regardless of size, these attacks rely on compromised devices. Consumer IoT devices often get targeted for such purposes for the same reasons listed above. They can lack strong security features out of the box, making them easy to enlist in a botnet.
In all, the threat of botnets makes another strong case for securing your devices.
To put a fine point on it, security in your smart home is an absolute must. And you can make your smart home far more secure with a few steps.
Many smart home devices use a smartphone as a sort of remote control, and to gather, store, and share data. So whether you’re an Android owner or an iOS owner, protect your smartphone so you can protect the things it accesses and controls—and the data stored on it too.
One issue with many IoT devices is that they often come with a default username and password. This could mean that your device and thousands of others just like it share the same credentials. That makes it easy for a hacker to access to them because those default usernames and passwords are often published online.
When you purchase any IoT device, set a fresh password using a strong method of password creation. Likewise, create an entirely new username for additional protection as well.
Banks and other online services commonly offer multi-factor authentication to help protect your accounts. In addition to using a username and password for login, it sends a security code to another device you own (often a mobile phone). It throws a big barrier in the way of hackers who try to force their way into your device with a password/username combination. If your IoT devices support multi-factor authentication, consider using it with them too.
Another device that needs good password protection is your internet router. Make sure you use a strong and unique password as well to help prevent hackers from breaking into your home network. Also consider changing the name of your home network so that it doesn’t personally identify you.
Fun alternatives to using your name or address include everything from movie lines like “May the Wi-Fi be with you” to old sitcom references like “Central Perk.” Also check that your router is using an encryption method, like WPA2 or the newer WPA3, which will keep your signal secure.
Older routers might have outdated security measures, which might make them more prone to attacks. If you’re renting yours from your internet provider, contact them for an upgrade. If you’re using your own, visit a reputable news or review site such as Consumer Reports for a list of the best routers that combine speed, capacity, and security.
In addition to fixing the odd bug or adding the occasional new feature, updates often fix security gaps. Out-of-date apps and devices might have flaws that hackers can exploit, so update regularly. If you can set your smart home apps and devices to receive automatic updates, select that option so that you’ll always have the latest.
Just as you can offer your guests secure access that’s separate from your own devices, you can create an additional network on your router that keeps your computers and smartphones separate from IoT devices. This way, if an IoT device is compromised, a hacker will still have difficulty accessing your other devices on your primary network that hosts your computers and smartphones.
You can take another strong security step before you even bring that new smart device home. Research.
Unfortunately, there are few consumer standards for smart devices. That’s unlike other household appliances. They must comply with government regulations, industry standards, and consumer-friendly standards like Energy Star ratings. So, some of the research burden falls on the buyer when it comes to purchasing the most secure devices.
Here are a few steps that can help:
A positive or high customer rating for a smart device is a good place to start, yet purchasing a safer device takes more than that. Impartial third-party reviewers like Consumer Reports will offer thorough reviews of smart devices and their security, as part of a paid subscription.
Likewise, look for other resources that account for device and data security in their writeups, such as the “Privacy Not Included” website. Run by a nonprofit organization, it reviews a wealth of apps and smart devices based on the strength of their security and privacy measures.
Whether you’re looking at a device made by a well-known company or one you haven’t heard of before, a web search can show you if they’ve had any reported privacy or security issues in the past. And just because you might be looking at a popular brand name doesn’t mean that you’ll make yourself more private or secure by choosing them. Companies of all sizes and years of operation have encountered problems with their smart home devices.
What you should look for, though, is how quickly the company addresses any issues and if they consistently have problems with them. Again, you can turn to third-party reviewers or reputable news sources for information that can help shape your decision.
Some smart devices will provide you with options around what data they collect and then what they do with it after it’s collected. Hop online and see if you can download some instructions for manuals for the devices you’re considering. They might explain the settings and permissions that you can enable or disable.
As mentioned above, multi-factor authentication provides an additional layer of protection. It makes things much more difficult for a hacker or bad actor to compromise your device, even if they know your password and username. Purchase devices that offer this as an option. It’s a terrific line of defense.
Some manufacturers are more security- and privacy-minded than others. Look for them. You might see a camera that has a physical shutter that caps the lens and blocks recording when it’s not in use. You might also find doorbell cameras that store video locally, instead of uploading it to the cloud where others can potentially access it. Also look for manufacturers that call out their use of encryption, which can further protect your data in transit.
Even the smallest of IoT smart home devices can lead to big issues if they’re not secured.
It only takes one poorly secured device to compromise everything else on an otherwise secure network. And with manufacturers in a rush to capitalize on the popularity of smart home devices, sometimes security takes a back seat. They might not thoroughly design their products for security up front, and they might not regularly update them for security in the long term.
Meanwhile, other manufacturers do a fine job. It takes a bit of research on the buyer’s part to find out which manufacturers handle security best.
Aside from research, a few straightforward steps can keep your smart devices and your network safe. Just as with any other connected device, strong passwords, multi-factor authentication, and regular updates remain key security steps.
For a secure smart home, just remember the adage: if a device gets connected, it gets protected.
The post Make Your Smart Home a Secure Home Too: Securing Your IoT Smart Home Devices appeared first on McAfee Blog.
The use of unmanaged and IoT devices in enterprises is growing exponentially, and will account for 55.7 billion connected devices by the end of 2025. A critical concern is deploying IoT devices without requisite security controls.
While these numbers are numbing, their reality is undeniable. 90% of customers believe digitization has accelerated the importance placed upon security. The World Economic Forum now lists cybersecurity failure as a critical threat, and estimates a gap of more than 3 million security experts worldwide, hindering secure deployments at scale. Furthermore, 83% of IoT-based transactions happen over plaintext channels and not SSL, making them especially risky.
Securing an IoT device can be achieved either through securing the IoT device itself, or hardening the network it accesses. Securing devices can be cumbersome, requiring complex manufacturing partnerships and increasing unit prices, thereby reducing adoption. On the other hand, securing the network is always desirable as it helps secure access, encrypt traffic, and ease management.
Being a leader in both security and networking, Cisco continues to bring security closer to networking, providing the network with built-in security, and enabling the network to act both as sensor and as an enforcer. The convergence of security and networking leverages the network’s intelligence and visibility to enable more-informed decisions on policy and threats.
Cisco uniquely integrates security and networking, for instance we recently integrated Cisco Secure Firewall to operate on Cisco Catalyst 9000 Series switches. Additionally, Secure Firewall can be deployed in a containerized form, on-premises and in clouds. Cisco Secure Firewall classifies traffic and protects applications while stopping exploitation of vulnerable systems. Additionally, we offer Identity Services Engine with AI Endpoint Analytics to passively identify IoT devices and apply segmentation policies. Furthermore, Cisco offers management flexibility by integrating with Cisco Defense Orchestrator and DNA Center and with existing customer tools like SIEMs and XDRs.
Let’s look at three use cases where the addition of Secure Firewall capability on Catalyst 9000 Series switches solves real world problems:
Use case 1: Securing the Smart Building: This solution is ideal to secure smart buildings, converging various IoT systems into a single IT-managed network infrastructure. Smart buildings lower the operational and energy costs. Smarter building systems, however, pose serious security risks as these include so many unmanaged devices such as window shades, lighting, tailored HVAC, and more. One of the methods to secure smart buildings is to control access to avoid manipulation of sensors. Such control is attained with a networking switch with enhanced firewall capability. The firewall ensures granular segmentation, directing policies for traffic generated out of IoT devices, providing access to the right users. This integration also brings security closer to endpoints, making policy orchestration simpler.
Use Case 2: Centrally manage isolated IoT network clusters: IoT devices which communicate with each other in the same subnet typically cannot be routed, which is a challenge. By default, most IoT networks are configured in the same subnet, making it difficult to manage them centrally. Administrators are forced to physically connect to the IoT network to manage and collect telemetry. Furthermore, IoT vendors often charge hefty amounts to update IP addresses of devices. Cisco Secure Firewall, hosted on the Catalyst switch, solves this problem and not only inspects traffic from the IoT network but also translates duplicate IoT IP addresses to unique global IP addresses using NAT for centralized management of isolated IoT networks.
Use Case 3: Securely encrypt IoT traffic passing through a shared IT network: At airports, for example, multiple vendors manage unique systems such as baggage, air quality, biometric access control, etc, which share a common network. IoT traffic is usually in plain text, making it susceptible to packet sniffing, eavesdropping, man-in-the-middle attacks, and other such exploits. The IPSec capability on Cisco Secure Firewall encrypts IoT traffic, securing data transfer and reducing risk.
Cisco’s IoT initiatives join the once disconnected worlds of IT and IoT, unifying networking and security. For further details refer to the At-A Glance and see how and an Australian oil company, Ampol, fortified its retail IoT with Cisco Secure!
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Denis Emelyantsev, a 36-year-old Russian man accused of running a massive botnet called RSOCKS that stitched malware into millions of devices worldwide, pleaded guilty to two counts of computer crime violations in a California courtroom this week. The plea comes just months after Emelyantsev was extradited from Bulgaria, where he told investigators, “America is looking for me because I have enormous information and they need it.”
A copy of the passport for Denis Emelyantsev, a.k.a. Denis Kloster, as posted to his Vkontakte page in 2019.
First advertised in the cybercrime underground in 2014, RSOCKS was the web-based storefront for hacked computers that were sold as “proxies” to cybercriminals looking for ways to route their Web traffic through someone else’s device.
Customers could pay to rent access to a pool of proxies for a specified period, with costs ranging from $30 per day for access to 2,000 proxies, to $200 daily for up to 90,000 proxies.
Many of the infected systems were Internet of Things (IoT) devices, including industrial control systems, time clocks, routers, audio/video streaming devices, and smart garage door openers. Later in its existence, the RSOCKS botnet expanded into compromising Android devices and conventional computers.
In June 2022, authorities in the United States, Germany, the Netherlands and the United Kingdom announced a joint operation to dismantle the RSOCKS botnet. But that action did not name any defendants.
Inspired by that takedown, KrebsOnSecurity followed clues from the RSOCKS botnet master’s identity on the cybercrime forums to Emelyantsev’s personal blog, where he went by the name Denis Kloster. The blog featured musings on the challenges of running a company that sells “security and anonymity services to customers around the world,” and even included a group photo of RSOCKS employees.
“Thanks to you, we are now developing in the field of information security and anonymity!,” Kloster’s blog enthused. “We make products that are used by thousands of people around the world, and this is very cool! And this is just the beginning!!! We don’t just work together and we’re not just friends, we’re Family.”
But by the time that investigation was published, Emelyantsev had already been captured by Bulgarian authorities responding to an American arrest warrant. At his extradition hearing, Emelyantsev claimed he would prove his innocence in an U.S. courtroom.
“I have hired a lawyer there and I want you to send me as quickly as possible to clear these baseless charges,” Emelyantsev told the Bulgarian court. “I am not a criminal and I will prove it in an American court.”
RSOCKS, circa 2016. At that time, RSOCKS was advertising more than 80,000 proxies. Image: archive.org.
Emelyantsev was far more than just an administrator of a large botnet. Behind the facade of his Internet advertising company based in Omsk, Russia, the RSOCKS botmaster was a major player in the Russian email spam industry for more than a decade.
Some of the top Russian cybercrime forums have been hacked over the years, and leaked private messages from those forums show the RSOCKS administrator claimed ownership of the RUSdot spam forum. RUSdot is the successor forum to Spamdot, a far more secretive and restricted community where most of the world’s top spammers, virus writers and cybercriminals collaborated for years before the forum imploded in 2010.
A Google-translated version of the Rusdot spam forum.
Indeed, the very first mentions of RSOCKS on any Russian-language cybercrime forums refer to the service by its full name as the “RUSdot Socks Server.”
Email spam — and in particular malicious email sent via compromised computers — is still one of the biggest sources of malware infections that lead to data breaches and ransomware attacks. So it stands to reason that as administrator of Russia’s most well-known forum for spammers, Emelyantsev probably knows quite a bit about other top players in the botnet spam and malware community.
It remains unclear whether Emelyantsev made good on his promise to spill that knowledge to American investigators as part of his plea deal. The case is being prosecuted by the U.S. Attorney’s Office for the Southern District of California, which has not responded to a request for comment.
Emelyantsev pleaded guilty on Monday to two counts, including damage to protected computers and conspiracy to damage protected computers. He faces a maximum of 20 years in prison, and is currently scheduled to be sentenced on April 27, 2023.
Ampol has been Australia’s leading transport fuel company since 1900. What began over 125 years ago is now an organization that powers a country, operating 1,500 retail stores and stations across ANZ, plus 89 depots for refining and importing fuels and lubricants, and 8,200 employees throughout Australia, New Zealand, the United States, and Singapore. And while Ampol’s history goes back a century, they are a modern organization, using internet of things (IoT) technology across operational and retail locations, with sensors on everything from electric vehicle charging units to fuel tank gauges to transportation trucks to refrigeration units inside retail stores.
As a critical energy provider to a country of over 25 million people, Ampol’s security needed to match its evolving infrastructure. As Satish Chowdhary, Network Enterprise Architect, said, “At Ampol, we have implemented sensor technology across our network: from gauges in the fuel tanks to monitor fuel quality and quantity to sensors that monitor the temperature in various refrigerators across our retail sites to ensure goods stay chilled. It’s critical to manage these devices effectively and securely, and that’s where Cisco comes in…With IoT, a major security risk is posed by dodgy legacy devices left unpatched and vulnerable within your network. Cisco’s TrustSec and VLAN segregation automatically isolate vulnerable devices, not exposing the rest of the network to risks from untrusted devices.”
In addition to securing the IoT that let’s Ampol monitor and manage its critical operations, Cisco was able to create a comprehensive security environment that solved for their three strategic goals.
“Three key components of our cyber-resilient strategy were isolation, orchestration, and rapid recovery. Cisco SecureX nailed all three providing us a single interface to see all security events, and malicious files, thus expediting how fast we can isolate events and recover,” Chowdhary explained. “Before using Cisco Secure, security was a hindrance, not an enabler for our IT team, employees, and even customers,” he added.
In fact, Cisco Secure helped Ampol improve their security posture so much that they were able to quickly pivot during the early days of the pandemic.
“When Covid triggered supply challenges during lockdowns, people not being able to access groceries turned to their local service station convenience stores to get what they needed. For Ampol, maintaining that supply continuity was critical, not just for our business, but for the customers who were relying on us to get their supplies. And all of this was done when many employees were now having to work remotely… This was possible only because we could maintain our revamped locations, staff, clients, and business partners safe on our network – while still maintaining speed and efficiency. Cisco Secure was the ticket to Ampol’s resilience in the face of major change,” Chowdhary said.
In addition to enabling flexibility against supply chain fluctuations, Ampol is readily protected against threats, cyberattacks, and other vulnerabilities. Their Cisco security solution included:
“The major force for our Cisco Secure investment was simplification by integrating the entire Security portfolio…If we ever happen to have a cyber-attack, we can quickly find it and contain it,” Chowdhary said, adding, “The greatest outcome of using Cisco Secure is simplicity at its core. We achieved great efficiency integration, better visibility, and context that’s not hidden across five, ten, or fifteen consoles, and ultimately, greater security outcomes.”
To find out how else Cisco Secure is helping protect Ampol against sophisticated threats and other challenges, read the full Ampol case study.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Last week, I was privileged to participate in an important national summit on IoT Security convened by Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies.
Representatives from across the US government, industry, and academia were invited to the White House to discuss a National Consumer IoT Security Labeling program.
In short, we were all there to solve the same problem: how do we raise awareness of the IoT security challenge among all consumers? Cisco appreciates the Biden administration’s efforts to drive better security into the consumer space given how interconnected our world is. We also underscored the importance of intelligent, intuitive networks in securely connecting the “things” being brought online daily—and in managing the billions of smart devices already in our homes and offices.
Consumer devices—from televisions and cameras to drones and baby monitors—have become attack targets as we have embraced connectivity without necessarily following proper security measures. This has been demonstrated by attacks that access cameras within these smart devices. But this issue extends beyond attacks and includes breaches of privacy too. If improperly secured, capabilities intended to enable smart features and accessibility, or improve user experience, can be abused by hackers to steal identities, generate data breaches, facilitate device failure, or even serve as stepping-stones to broader attacks on critical infrastructure.
A prominent example of how security flaws in consumer devices can lead to broader disruption was demonstrated by the Mirai botnet in 2016. What appeared initially as a targeted attack, quickly spread and caused global havoc. Fueled by compromised connected consumer devices—like cameras, DVRs and home routers—a Distributed Denial of Service attack (DDoS) impacted its customers’ sites such as Twitter, Netflix, and CNN to name a few. Mirai highlighted how consumer devices connecting to the network can go beyond the walls of a consumer’s home to breach larger institutions and services—all the while being unknown to the consumer and without impact the devices’ functions.
So how do we raise consumer awareness about these breaches? And how do we protect users and prevent these breaches in the future? The discussion at the White House focused on now best to effectuate the national program for IoT security labeling, which was required by President Biden’s executive order last May. Key stakeholders presented potentially promising new ideas for device certification, labels for secure devices, and ways to incentivize adoption of these standards.
Though the focus was on consumer IoT devices, we also discussed the broader implications of the need to raise awareness among consumers about the devices they use at home and in the office. This is where the importance of visibility and network security becomes a strong protector: once these devices can be identified, the network can provide the right access controls (e.g., segmenting the network so that such devices do not infiltrate the main network).
As the IoT market continues to evolve and mature, we look forward to working with the US government, policymakers, industry forums, and partners to drive open, standardized holistic IoT security and privacy practices. Accomplishing this will help more power a more secure, connected future for all.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
bpflock - eBPF driven security for locking and auditing Linux machines.
Note: bpflock is currently in experimental stage, it may break, options and security semantics may change, some BPF programs will be updated to use Cilium ebpf library.
bpflock uses eBPF to strength Linux security. By restricting access to a various range of Linux features, bpflock is able to reduce the attack surface and block some well known attack techniques.
Only programs like container managers, systemd and other containers/programs that run in the host pid and network namespaces are allowed access to full Linux features, containers and applications that run on their own namespace will be restricted. If bpflock bpf programs run under the restricted profile then all programs/containers including privileged ones will have their access denied.
bpflock protects Linux machines by taking advantage of multiple security features including Linux Security Modules + BPF.
Architecture and Security design notes:
bpflock offer multiple security protections that can be classified as:
System and Application tracing
Filesystem Protections
Network protections
bpflock keeps the security semantics simple. It support three global profiles to broadly cover the security sepctrum, and restrict access to specific Linux features.
profile: this is the global profile that can be applied per bpf program, it takes one of the followings:
FreshRSS allow|none|privileged : they are the same, they define the least secure profile. In this profile access is logged and allowed for all processes. Useful to log security events.baseline : restrictive profile where access is denied for all processes, except privileged applications and containers that run in the host namespaces, or per cgroup allowed profiles in the bpflock_cgroupmap bpf map.restricted : heavily restricted profile where access is denied for all processes.Allowed or blocked operations/commands:
Under the allow|privileged or baseline profiles, a list of allowed or blocked commands can be specified and will be applied.
--protection-allow : comma-separated list of allowed operations. Valid under baseline profile, this is useful for applications that are too specific and perform privileged operations. It will reduce the use of the allow | privileged profile, so instead of using the privileged profile, we can specify the baseline one and add a set of allowed commands to offer a case-by-case definition for such applications.--protection-block : comma-separated list of blocked operations. Valid under allow|privileged and baseline profiles, it allows to restrict access to some features without using the full restricted profile that might break some specific applications. Using baseline or privileged profiles opens the gate to access most Linux features, but with the --protection-block option some of this access can be blocked.For bpf security examples check bpflock configuration examples
bpflock needs the following:
Linux kernel version >= 5.13 with the following configuration:
If your kernel was compiled with CONFIG_BPF_LSM=y check the /boot/config-* to confirm, but when running bpflock it fails with:
must have a kernel with 'CONFIG_BPF_LSM=y' 'CONFIG_LSM=\"...,bpf\"'"
Then to enable BPF LSM as an example on Ubuntu:
GRUB_CMDLINE_LINUX variable and save. "lsm=lockdown,capability,yama,apparmor,bpf"
GRUB_CMDLINE_LINUX="lsm=lockdown,capability,yama,apparmor,bpf"
sudo update-grub2To run using the default allow or privileged profile (the least secure profile):
docker run --name bpflock -it --rm --cgroupns=host \
--pid=host --privileged \
-v /sys/kernel/:/sys/kernel/ \
-v /sys/fs/bpf:/sys/fs/bpf linuxlock/bpflockTo log and restict fileless binary execution run with:
docker run --name bpflock -it --rm --cgroupns=host --pid=host --privileged \
-e "BPFLOCK_FILELESSLOCK_PROFILE=restricted" \
-v /sys/kernel/:/sys/kernel/ \
-v /sys/fs/bpf:/sys/fs/bpf linuxlock/bpflockWhen running under restricted profile, the container logs will display:
restricted profile may break things, this is why the default profile is allow. To apply Kernel Modules Protection run with environment variable BPFLOCK_KMODLOCK_PROFILE=baseline or BPFLOCK_KMODLOCK_PROFILE=restricted:
docker run --name bpflock -it --rm --cgroupns=host --pid=host --privileged \
-e "BPFLOCK_KMODLOCK_PROFILE=restricted" \
-v /sys/kernel/:/sys/kernel/ \
-v /sys/fs/bpf:/sys/fs/bpf linuxlock/bpflockExample:
$ sudo unshare -p -n -f
# modprobe xfs
modprobe: ERROR: could not insert 'xfs': Operation not permittedTo apply Kernel Image Lock-down run with environment variable BPFLOCK_KIMGLOCK_PROFILE=baseline:
docker run --name bpflock -it --rm --cgroupns=host --pid=host --privileged \
-e "BPFLOCK_KIMGLOCK_PROFILE=baseline" \
-v /sys/kernel/:/sys/kernel/ \
-v /sys/fs/bpf:/sys/fs/bpf linuxlock/bpflock$ sudo unshare -f -p -n bash
# head -c 1 /dev/mem
head: cannot open '/dev/mem' for reading: Operation not permittedTo apply bpf restriction run with environment variable BPFLOCK_BPFRESTRICT_PROFILE=baseline or BPFLOCK_BPFRESTRICT_PROFILE=restricted:
docker run --name bpflock -it --rm --cgroupns=host --pid=host --privileged \
-e "BPFLOCK_BPFRESTRICT_PROFILE=baseline" \
-v /sys/kernel/:/sys/kernel/ \
-v /sys/fs/bpf:/sys/fs/bpf linuxlock/bpflockExample running in a different pid and network namespaces and using bpftool:
$ sudo unshare -f -p -n bash
# bpftool prog
Error: can't get next program: Operation not permitted-e "BPFLOCK_BPFRESTRICT_PROFILE=restricted" profile will deny bpf for all: Passing configuration as bind mounts can be achieved using the following command.
Assuming bpflock.yaml and bpf.d profiles configs are in current directory inside bpflock directory, then we can just use:
ls bpflock/
bpf.d bpflock.d bpflock.yamldocker run --name bpflock -it --rm --cgroupns=host --pid=host --privileged \
-v $(pwd)/bpflock/:/etc/bpflock \
-v /sys/kernel/:/sys/kernel/ \
-v /sys/fs/bpf:/sys/fs/bpf linuxlock/bpflockPassing environment variables can also be done with files using --env-file. All parameters can be passed as environment variables using the BPFLOCK_$VARIABLE_NAME=VALUE format.
Example run with environment variables in a file:
docker run --name bpflock -it --rm --cgroupns=host --pid=host --privileged \
--env-file bpflock.env.list \
-v /sys/kernel/:/sys/kernel/ \
-v /sys/fs/bpf:/sys/fs/bpf linuxlock/bpflockDocumentation files can be found here.
bpflock uses docker BuildKit to build and Golang to make some checks and run tests. bpflock is built inside Ubuntu container that downloads the standard golang package.
Run the following to build the bpflock docker container:
git submodule update --init --recursive
makeBpf programs are built using libbpf. The docker image used is Ubuntu.
If you want to only build the bpf programs directly without using docker, then on Ubuntu:
sudo apt install -y pkg-config bison binutils-dev build-essential \
flex libc6-dev clang-12 libllvm12 llvm-12-dev libclang-12-dev \
zlib1g-dev libelf-dev libfl-dev gcc-multilib zlib1g-dev \
libcap-dev libiberty-dev libbfd-devThen run:
make bpf-programsIn this case the generated programs will be inside the ./bpf/build/... directory.
bpflock uses lot of resources including source code from the Cilium and bcc projects.
The bpflock user space components are licensed under the Apache License, Version 2.0. The BPF code where it is noted is licensed under the General Public License, Version 2.0.
nas-1200
At Black Hat USA 2020, Trend Micro presented two important talks on vulnerabilities in Industrial IoT (IIoT). The first discussed weaknesses in proprietary languages used by industrial robots, and the second talked about vulnerabilities in protocol gateways. Any organization using robots, and any organization running a multi-vendor OT environment, should be aware of these attack surfaces. Here is a summary of the key points from each talk.
Rogue Automation
Presented at Black Hat, Wednesday, August 5. https://www.blackhat.com/us-20/briefings/schedule/index.html#otrazor-static-code-analysis-for-vulnerability-discovery-in-industrial-automation-scripts-19523 and the corresponding research paper is available at https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/unveiling-the-hidden-risks-of-industrial-automation-programming
Industrial robots contain powerful, fully capable computers. Unlike most contemporary computers, though, industrial robots lack basic information security capabilities. First, at the architectural level, they lack any mechanism to isolate certain instructions or memory. That is, any program can alter any piece of storage, or run any instruction. In traditional mainframes, no application could access, change, or run any code in another application or in the operating system. Even smartphone operating systems have privilege separation. An application cannot access a smartphone’s camera, for instance, without being specifically permitted to do so. Industrial robots allow any code to read, access, modify, or run any device connected to the system, including the clock. That eliminates data integrity in industrial robots and invalidates any audit of malfunctions; debugging becomes exceptionally difficult.
Industrial robots do not use conventional programming languages, like C or Python. Instead, each manufacturer provides its own proprietary programming language. That means a specialist using one industrial robot cannot use another vendor’s machine without training. There are no common information security tools for code validation, since vendors do not develop products for fragmented markets. These languages describe programs telling the robot how to move. They also support reading and writing data, analyzing and modifying files, opening and closing input/output devices, getting and sending information over a network, and accessing and changing status indicators on connected sensors. Once a program starts to run on an industrial robot, it can do anything any fully functional computer can do, without any security controls at all. Contemporary industrial robots do not have any countermeasures against this threat.
Most industrial robot owners do not write their own programs. The supply chain for industrial robot programs involves many third-party actors. See Figure 1 below for a simplified diagram. In each community, users of a particular vendor’s languages share code informally, and rely on user’s groups for hints and tips to solve common tasks. These forums rarely discuss security measures. Many organizations hire third-party contractors to implement particular processes, but there are no security certifications relevant to these proprietary languages. Most programmers learned their trade in an air-gapped world, and still rely on a perimeter which separates the safe users and code inside from the untrusted users and code outside. The languages offer no code scanners to identify potential weaknesses, such as not validating inputs, modifying system services, altering device state, or replacing system functions. The machines do not have a software asset management capability, so knowing where the components of a running program originated from is uncertain.
Figure 1: The Supply Chain for Industrial Robot Programming
All is not lost – not quite. In the short term, Trend Micro Research has developed a static code analysis tool called OTRazor, which examines robotic code for unsafe code patterns. This was demonstrated during our session at Black Hat.
Over time, vendors will have to introduce basic security checks, such as authentication, authorization, data integrity, and data confidentiality. The vendors will also have to introduce architectural restrictions – for instance, an application should be able to read the clock but not change it.. Applications should not be able to modify system files, programs, or data, nor should they be able to modify other applications. These changes will take years to arrive in the market, however. Until then, CISOs should audit industrial robot programs for vulnerabilities, and segment networks including industrial robots, and apply baseline security programs, as they do now, for both internally developed and procured software.
Protocol Gateway Vulnerabilities
Presented at Black Hat, Wednesday, August 5, https://www.blackhat.com/us-20/briefings/schedule/index.html#industrial-protocol-gateways-under-analysis-20632, with the corresponding research paper available here: https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/lost-in-translation-when-industrial-protocol-translation-goes-wrong.
Industry 4.0 leverages the power of automation alongside the rich layer of software process control tools, particularly Enterprise Resource Planning (ERP), and its bigger cousin, Supply Chain Management (SCM). By bringing together dynamic industrial process control with hyper-efficient “just-in-time” resource scheduling, manufacturers can achieve minimum cost, minimum delay, and optimal production. But these integration projects require that IIoT devices speak with other technology, including IIoT from other manufacturers and legacy equipment. Since each equipment or device may have their own communication protocol, Industry 4.0 relies heavily on protocol converters.
Protocol converters are simple, highly efficient, low-cost devices that translate one protocol into another. Protocol converters are ubiquitous, but they lack any basic security capabilities – authentication, authorization, data integrity or data confidentiality – and they sit right in the middle of the OT network. Attackers can subvert protocol converters to hijack the communication or change configuration. An attacker can disable a safety thresholds, generate a denial of service attack, and misdirect an attached piece of equipment.
In the course of this research, we found nine vulnerabilities and are working with vendors to remediate the issues. Through our TXOne subsidiary, we are developing rules and intelligence specifically for IIoT message traffic, which are then embedded in our current network security offerings, providing administrators with better visibility and the ability to enforce security policies in their OT networks.
Protocol converters present a broad attack surface, as they have limited native information security capabilities. They don’t validate senders or receivers, nor do they scan or verify message contents. Due to their crucial position in the middle of the OT network, they are an exceptionally appealing target for malicious actors. Organizations using protocol converters – especially those on the way to Industry 4.0 – must address these weak but critical components of their evolving infrastructure.
What do you think? Let me know in the comments below or @WilliamMalikTM
The post Black Hat Trip Report – Trend Micro appeared first on .
“Alexa, turn on the TV.”
”Get it yourself.”
This nightmare scenario could play out millions of times unless people take steps to protect their IoT devices. The situation is even worse in industrial settings. Smart manufacturing, that is, Industry 4.0, relies on tight integration between IT systems and OT systems. Enterprise resource planning (ERP) software has evolved into supply chain management (SCM) systems, reaching across organizational and national boundaries to gather all forms of inputs, parting out subcomponent development and production, and delivering finished products, payments, and capabilities across a global canvas.
Each of these synergies fulfills a rational business goal: optimize scarce resources across diverse sources; minimize manufacturing, shipping, and warehousing expense across regions; preserve continuity of operations by diversifying suppliers; maximize sales among multiple delivery channels. The supply chain includes not only raw materials for manufacturing, but also third party suppliers of components, outsourced staff for non-core business functions, open source software to optimize development costs, and subcontractors to fulfill specialized design, assembly, testing, and distribution tasks. Each element of the supply chain is an attack surface.
Software development has long been a team effort. Not since the 1970s have companies sought out the exceptional talented solo developer whose code was exquisite, flawless, ineffable, undocumented, and impossible to maintain. Now designs must be clear across the team, and testing requires close collaboration between architects, designers, developers, and production. Teams identify business requirements, then compose a solution from components sourced from publically shared libraries. These libraries may contain further dependencies on yet other third-party code of unknown provenance. Simplified testing relies on the quality of the shared libraries, but shared library routines may have latent (or intentionally hidden) defects that do not come to life until in a vulnerable production environment. Who tests GitHub? The scope of these vulnerabilities is daunting. Trend Micro just published a report, “Attacks on Smart Manufacturing Systems: A Forward-looking Security Analysis,” that surveys the Industry 4.0 attack surface.
Within the manufacturing operation, the blending of IT and OT exposes additional attack surfaces. Industrial robots provide a clear example. Industrial robots are tireless, precision machines programmed to perform exacting tasks rapidly and flawlessly. What did industry do before robots? Factories either relied on hand-built products or on non-programmable machines that had to be retooled for any change in product specifications. Hand-built technology required highly skilled machinists, who are expensive and require time to deliver. See Figure 1 for an example.
Figure 1: The cost of precision
Non-programmable robots require factory down time for retooling, a process that can take weeks. Before programmable industrial robots, automobile factories would deliver a single body style across multiple years of production. Programmable robots can produce different configurations of materials with no down time. They are used everywhere in manufacturing, warehousing, distribution centers, farming, mining, and soon guiding delivery vehicles. The supply chain is automated.
However, the supply chain is not secure. The protocols industrial robots depend on assumed the environment was isolated. One controller would govern the machines in one location. Since the connection between the controller and the managed robots was hard-wired, there was no need for operator identification or message verification. My controller would never see your robot. My controller would only connect to my robot, so the messages they exchanged needed no authentication. Each device assumed all its connections were externally verified. Even the safety systems assumed the network was untainted and trustworthy. No protocols included any security or privacy controls. Then Industry 4.0 adopted wireless communications.
The move, which saved the cost of laying cable in the factory, opened those networks to eavesdropping and attacks. Every possible attack against industrial robots is happening now. Bad guys are forging commands, altering specifications, changing or suppressing error alerts, modifying output statistics, and rewriting logs. The consequences can be vast yet nearly undetectable. In the current report on Rogue Robots, our Forward-looking Threat Research team, collaborating with the Politecnico di Milano (POLIMI), analyzes the range of specific attacks today’s robots face, and the potential consequences those attacks may have.
Owners and operators of programmable robots should heed the warnings of this research, and consider various suggested remedies. Forewarned is forearmed.
The Rogue Robots research is here: https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/rogue-robots-testing-industrial-robot-security.
The new report, Attacks on Smart Manufacturing Systems: A Forward-looking Security Analysis, is here: https://www.trendmicro.com/vinfo/us/security/threat-intelligence-center/internet-of-things/threats-and-consequences-a-security-analysis-of-smart-manufacturing-systems.
What do you think? Let me know in the comments below, or @WilliamMalikTM.
The post Securing Smart Manufacturing appeared first on .
We continue our four-part series on protecting your home and family. See the links to the previous parts at the end of this blog.
We’re now done with familiarizing ourselves with the features of Trend Micro Home Network Security (HNS) It’s now time for you to get a bit more adept at regular monitoring and maintenance, to ensure you’re getting the best protection HNS can provide your connected home.
Once you’re tracking the various internet-capable devices in your home within HNS, as with any security-related device it’s essential to monitor the activities captured by it. In the same way that we need to periodically review the videos taken by our security cameras, to check for any unusual events in or around the home that need our attention; so too, do you need to keep abreast of the goings on in your home network, particularly those of an unusual or suspect nature, as revealed by HNS. This can easily be done in two ways: via Voice Control and Reports.
Voice Control. When you want just a quick overview of the status of your network, you can use HNS’s Voice Control. Voice Control is available as a skill for both Amazon Alexa and Google Home.
Once the skill has been enabled, you can ask Alexa or Google Assistant to control your Home Network Security (HNS) using the following voice commands:
|
|
Reports. On the other hand, if you have more time to spare, you can peruse the Reports for your devices, user profiles, and network usage.
|
|
Now that you’re more acquainted with your home network through HNS, it’s vital that you know what to do when, for instance, you received a Smart Alert notification indicating an unusually high network activity detected on one of your connected devices.
A Range of Network Events. In brief, you’ll need to review the recent activities and perform the required actions to eliminate risks such as the following:
|
|
For more specific information regarding these types of incidents, you may refer to this Technical Support article.
The Home Network Security Station takes care of your home and your family’s security and safety. In return, you should know how to check if it’s in good working condition.
Physical Status. Check whether the physical components (LED, Reset button, Power, and Ethernet ports) of your Station are intact.
Power. Ensure that the Station is powered on. To check if the Station has power supply, just follow these simple steps:
|
|
Offline Notifications. When the HNS Station is offline the user will receive a notification about it. In addition, the HNS app will indicate the Station is offline. This situation can be attributed to loss of either the internet or LAN connections.
Internet Connection. Make sure you have stable internet connection. Checking your internet connection is easy:
|
|
If you are able to connect to the internet, just reconnect your Home Network Security Station to the router.
LAN Connection. Check the connection between the router and the HNS Station.
|
|
Updates. Make sure that you update the HNS App if you receive a notification that indicates, “Update Needed. Please click the button below to get the latest version.” This will guarantee that your HNS is up-to-date with app improvements.
Getting Help. Always remember, if you encounter any questions, issues or concerns that you’re unable to resolve, Help is just a click away.
Home networks are everywhere these days. However, the user knowledge required to secure and maintain our home networks spans from tech newbies to gurus and often seems to be a rather complicated or even confusing task.
To help you maintain and monitor your home network, Trend Micro offers a simple plug-and-protect home network device to protect your smart home and connected devices from being hacked, while keeping the internet safe for your kids on any device. But plug-and-protect doesn’t mean plug-and-forget. As with any security device, ongoing monitoring and maintenance is needed to provide the best protection your home network and family members need and deserve.
For more information, go to Trend Micro Home Network Security.
To read the rest of our series on HNS, go to
You’re in Safe Hands with Trend Micro Home Network Security – Part 1: Setup and Configuration
Trend Micro Home Network Security Has Got You Covered – Part 2: Parental Controls
In Safe Hands with Trend Micro Home Network Security – Part 3: Testing Its Functions
The post Monitoring and Maintaining Trend Micro Home Network Security – Part 4: Best Practices appeared first on .
We continue our four-part series on protecting your home and family. See the links to the previous parts at the end of this blog.
As you use more internet-connected devices and smart appliances in your home, it’s of utmost importance to make sure your gadgets are properly protected from malware and hackers—and Trend Micro Home Network Security (HNS) helps you do just that. But while it’s easy to set up, connect, and configure (and even to forget!), you reap the most benefit when you’re actively involved with it, maintaining and monitoring its features and controls.
Start by asking the question: Are you sure your home network is secure? As you learn what network security entails, by the end of this blog you’ll be able to answer that question confidently. The more you’re involved with HNS, as the tech-savvy “guru” of the household, the more you’ll know when things are properly secured.
We’ll cover three main topics in Part 3 of our 4-part series, where we help you to test the following features: Threat Blocking, Access Control, and Parental Controls.
To better understand how HNS blocks malware on malicious websites from being downloaded to your devices, open your browser either from your mobile device or PC then proceed to these links:
http://www.eicar.org/download/eicar.com
When you run these tests, the test URL will be blocked, your browser will say “Website Blocked by Trend Micro Home Network Security,” and the payload will not be downloaded to the test device. The HNS app will then notify you that a web threat has been blocked, along with the name of the test device that was able to detect it. In the future, you should monitor the HNS app for such messages, so you can see which malicious sites your family has been accessing and warn them.
Next, there are three aspects of Access Control that you should test to familiarize yourself with the features. They are: Approving and Rejecting Devices, Remote Access Protection, and Disconnecting Devices.
Device control is the first part of access control.
|
|
Based on the decision to Allow Connection, verify the connection status on the new device by navigating to a webpage or using an application that connects to the internet.
For the next test, Remote Access Protection, you’ll use a real-world remote-access program commonly used in tech support scams. Note that remote desktop software such as LogMeIn, AnyDesk, TeamViewer, and others are not inherently harmful, but malicious hackers often use them for nefarious activities, such as tech support scams, where they lure you into downloading such a program, pretending they need it to “solve” your computer problems. Unsuspecting consumers around the world have fallen victim to such scams, often losing a large amount of money in fake support fees and ransoms. Additionally, such hackers can use remote desktop programs to scoop up your private data and sell it on the Dark Web.
Home Network Security gives owners peace of mind by preventing these types of Remote Desktop programs from establishing connections with remote computers.
In this test, we will use the free version of TeamViewer.
|
|
HNS will block the TeamViewer session and the HNS app will receive a notification of a remote access connection attempt, along with the name of the target PC. Once you’ve run your tests and understand how this access blocking works, you can delete the instances of TeamViewer on your devices, if you have no need of them.
Next, you should test Disconnecting Devices.
|
|
As we indicated in our last installment of this series, there are many facets to HNS’s Parental Controls. In this segment we will check the effectiveness of its Website Filtering, Content Filtering, App Controls, Time Limits, and Connection Alert & Notification capabilities.
Testing Website Filtering is easy.
|
|
The browser will show, “Website Blocked by Trend Micro Home Network Security” and indicate the rule that triggered the block, i.e., the Category: Personals/Dating rule in our test. The HNS app will receive a notification indicating HNS prevented your “Pre-Teen device” was from visiting a Personals/Dating site. Tapping the notification will show more details, such as the time and website visited.
Moving forward, Content Filtering is next in our checklist.
|
|
When it’s toggled ON, you can try to search for inappropriate content, such as red band trailersDoing this, the user will see a message that says, “Some results have been removed because Restricted Mode is enabled by your network administrator.” In addition, videos with mature or inappropriate content will not be displayed when you open YouTube’s Home page.
To continue, you can test the Inappropriate App Used functionality. Note that this feature only logs the apps opened in your devices; it does not block those apps from being used by the child.
|
|
Next, on your test mobile device, open any of the apps that correspond to the App Categories you’ve chosen. For instance, when a gaming app is opened, The HNS app should get a notification that a Games App was found in the user’s device. Tapping this notification should open the Report section where more detailed information is presented, such as the name of the app, the amount of time it was used, and the name of the device that triggered the notification.
To test Time Limits, you can set up a simple rule that consists of the chosen days the family member can use the internet, set the internet time limit, and set the time spent on YouTube within the set time period they’re allowed to use the internet, then enable notifications for this rule.
As an example:
|
|
To check if the rule is working, look for when the user attempts to surf and use YouTube beyond what’s permitted by the rule. HNS will block access to the internet and YouTube and provide you with a notification that says the YouTube or internet time limit has been reached by the user account. This notification is also logged in the user profile’s Report section.
Let’s wrap up testing the Parental Control features with enabling Connection Alert. This allows you to receive a notification when a device you choose, like your child’s mobile phone, reconnects to your HNS-secure network after getting home from school.
To do this, from the HNS App’s User Account > Settings, enable Connection Alert to indicate when the devices you have selected connect to the home network, according to your set schedule. You’ll only receive notifications of connections from HNS during that scheduled time.
Is your network secure? As the techie in your household, you’re the designated technical support for the family. As the saying usually goes, “Heavy is the head that wears the crown,” but armed with what you’ve just learned about Trend Micro Home Network Security’s capabilities, your burden will lighten significantly and you and your family will stay safe and secure from constantly evolving network threats.
Go to our website for more information on Trend Micro Home Network Security. And watch for Part 4 of this series, where we wind up with some additional monitoring and maintenance best practices.
Go here for Parts 1 and 2 of our series:
You’re in Safe Hands with Trend Micro Home Network Security – Part 1: Setup and Configuration
Trend Micro Home Network Security Has Got You Covered – Part 2: Parental Controls
The post In Safe Hands with Trend Micro Home Network Security – Part 3: Testing Its Functions appeared first on .
