I am a public-interest technologist, working at the intersection of security, technology, and people. I’ve been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I’m a fellow and lecturer at Harvard’s Kennedy School and a board member of EFF. This personal website expresses the opinions of neither of those organizations.
End-to-end encryption is a staple of secure messaging apps like WhatsApp and Signal. It ensures that no one—even the app developer—can access your data as it traverses the web. But what if you could bring some version of that protection to increasingly ubiquitous—and notoriously insecure—Internet of Things devices?
The Swiss cryptography firm Teserakt is trying just that. Earlier this month at the Real World Crypto conference in New York it introduced E4, a sort of cryptographic implant that IoT manufacturers can integrate into their servers. Today most IoT data is encrypted at some point as it moves across the web, but it’s challenging to keep that protection consistent for the whole ride. E4 would do most of that work behind the scenes, so that whether companies make home routers, industrial control sensors, or web cams, all the data transmitted between the devices and their manufacturers can be encrypted.
Tech companies already rely on web encryption to keep IoT data secure, so it’s not like your big-name fitness tracker is transmitting your health data with no protection. But E4 aims to provide a more comprehensive, open-source approach that’s tailored to the realities of IoT. Carmakers managing dozens of models and hundreds of thousands of vehicles, or an energy company that takes readings from a massive fleet of smart meters, could have more assurance that full encryption protections really extend to every digital layer that data will cross.
“What we have now is a whole lot of different devices in different industries sending and receiving data,” says Jean-Philippe Aumasson, Teserakt’s CEO. “That data might be software updates, telemetry data, user data, personal data. So it should be protected between the device that produces it and the device that receives it, but technically it’s very hard when you don’t have the tools. So we wanted to build something that was easy for manufacturers to integrate at the software level.”
Being open source is also what gives the Signal Protocol, which underpins Signal and WhatsApp, so much credibility. It means experts can check under the hood for vulnerabilities and flaws. And it enables any developer to adopt the protocol in their product, rather than attempting the fraught and risky task of developing encryption protections from scratch.
Aumasson says that the Signal Protocol itself doesn’t literally translate to IoT, which makes sense. Messaging apps involve remote but still direct, human-to-human interaction, whereas populations of embedded devices send data back to a manufacturer or vice versa. IoT needs a scheme that accounts for these “many-to-one” and “one-to-many” data flows. And end-to-end encryption has different privacy goals when it is applied to IoT versus secure messaging. Encrypted chat apps essentially aim to lock the developer, internet service providers, nation state spies, and any other snoops out. But in the IoT context, manufacturers still have access to their customers’ data; the goal instead is to protect the data from other entities and Teserakt itself.
It also only hardens IoT defenses against a specific type of problem. E4 looks to improve defenses for information in transit and offer protection against data interception and manipulation. But just like encrypted chat services can’t protect your messages if bad actors have access to your smartphone itself, E4 doesn’t protect against a company’s servers being compromised or improve security on IoT devices themselves.
“I think it’s a good idea, but developers would need to keep in mind that it covers only one part of data protection,” says Jatin Kataria, principle scientist at the IoT security firm Red Balloon. “What’s the security architecture of the embedded device itself and the servers that are receiving this data? If those two endpoints are not that secure then end-to-end encryption will only get you so far.”
Teserakt has been consulting with big tech companies in aerospace, healthcare, agriculture, and the automotive and energy sectors to develop E4, and plans to monetize the tool by charging companies to customize implementations for their specific infrastructure. The company has not yet open-sourced full server code for E4 alongside the protocol details and cryptography documentation it released, but says that final step will come as soon as the documentation is complete. Given the glacial pace of investment in IoT security overall, you probably shouldn’t expect E4 to be protecting the whole industry anytime soon, anyway.
Source: National Cyber Security – Produced By Gregory Evans Internet-connected gadgets like lightbulbs and fitness trackers are notorious for poor security. That’s partly because they’re often made cheaply and with haste, which leads to careless mistakes and outsourcing of problematic parts. But it’s also partly due to the lack of computing power in the first […]
View full post on AmIHackerProof.com
Back in the 1970s, “darknet” wasn’t an ominous term: it simply referred to networks that were isolated from the mainstream of ARPANET for security purposes. But as ARPANET became the internet and then swallowed up nearly all the other computer networks out there, the word came to identify areas that were connected to the internet but not quite of it, difficult to find if you didn’t have a map.
The so-called dark web, a catch-all phrase covering the parts of the internet not indexed by search engines, is the stuff of grim legend. But like most legends, the reality is a bit more pedestrian. That’s not to say that scary stuff isn’t available on dark web websites, but some of the whispered horror stories you might’ve heard don’t make up the bulk of the transactions there.
We spoke to some security pros who offered to give us a bit of a guided tour of the web’s nether regions. Hopefully it will demystify things a bit.
Here are ten things you might not know about the dark web.
New dark web sites pop up every day…
A 2015 white paper from threat intelligence firm Recorded Future examines the linkages between the Web you know and the darknet. The paths usually begin on sites like Pastebin, originally intended as an easy place to upload long code samples or other text but now often where links to the anonymous Tor network are stashed for a few days or hours for interested parties.
While searching for dark web sites isn’t as easy as using Google—the point is to be somewhat secretive, after all—there are ways to find out what’s there. The screenshot below was provided by Radware security researcher Daniel Smith, and he says it’s the product of “automatic scripts that go out there and find new URLs, new onions, every day, and then list them. It’s kind of like Geocities, but 2018″—a vibe that’s helped along by pages with names like “My Deepweb Site,” which you can see on the screenshot.
…and many are perfectly innocent
Matt Wilson, chief information security advisor at BTB Security, says that “there is a tame/lame side to the dark web that would probably surprise most people. You can exchange some cooking recipes—with video!—send email, or read a book. People use the dark web for these benign things for a variety of reasons: a sense of community, avoiding surveillance or tracking of internet habits, or just to do something in a different way.”
It’s worth remembering that what flourishes on darknet is material that’s been banned elsewhere online. For example, in 2015, in the wake of the Chinese government cracking down on VPN connections through the so-called “great firewall,” Chinese-language discussions started popping up on the darknet — mostly full of people who just wanted to talk to each other in peace.
Radware’s Smith points out that there are a variety of news outlets on the dark web, ranging from the news website from the hacking group Anonymous to the New York Times, shown in the screenshot here, all catering to people in countries that censor the open internet.
Some spaces are by invitation only
Of course, not everything is so innocent, or you wouldn’t be bothering to read this article. Still, “you can’t just fire up your Tor browser and request 10,000 credit card records, or passwords to your neighbor’s webcam,” says Mukul Kumar, CISO and VP of Cyber Practice at Cavirin. “Most of the verified ‘sensitive’ data is only available to those that have been vetted or invited to certain groups.”
How do you earn an invite into these kinds of dark web sites? “They’re going to want to see history of crime,” says Radware’s Smith. “Basically it’s like a mafia trust test. They want you to prove that you’re not a researcher and you’re not law enforcement. And a lot of those tests are going to be something that a researcher or law enforcement legally can’t do.”
There is bad stuff, and crackdowns means it’s harder to trust
As recently as last year, many dark web marketplaces for drugs and hacking services featured corporate-level customer service and customer reviews, making navigating simpler and safer for newbies. But now that law enforcement has begun to crack down on such sites, the experience is more chaotic and more dangerous.
“The whole idea of this darknet marketplace, where you have a peer review, where people are able to review drugs that they’re buying from vendors and get up on a forum and say, ‘Yes, this is real’ or ‘No, this actually hurt me’—that’s been curtailed now that dark marketplaces have been taken offline,” says Radware’s Smith. “You’re seeing third-party vendors open up their own shops, which are almost impossible to vet yourself personally. There’s not going to be any reviews, there’s not a lot of escrow services. And hence, by these takedowns, they’ve actually opened up a market for more scams to pop up.”
Reviews can be wrong, products sold under false pretenses—and stakes are high
There are still sites where drugs are reviewed, says Radware’s Smith, but keep in mind that they have to be taken with a huge grain of salt. A reviewer might get a high from something they bought online, but not understand what the drug was that provided it.
The dark web provides wholesale goods for enterprising local retailers…
Smith says that some traditional drug cartels make use of the dark web networks for distribution—”it takes away the middleman and allows the cartels to send from their own warehouses and distribute it if they want to”—but small-time operators can also provide the personal touch at the local level after buying drug chemicals wholesale from China or elsewhere from sites like the one in the screenshot here. “You know how there are lots of local IPA microbreweries?” he says. “We also have a lot of local micro-laboratories. In every city, there’s probably at least one kid that’s gotten smart and knows how to order drugs on the darknet, and make a small amount of drugs to sell to his local network.”
…who make extensive use of the gig economy
Smith describes how the darknet intersects with the unregulated and distributed world of the gig economy to help distribute contraband. “Say I want to have something purchased from the darknet shipped to me,” he says. “I’m not going expose my real address, right? I would have something like that shipped to an AirBnB—an address that can be thrown away, a burner. The box shows up the day they rent it, then they put the product in an Uber and send it to another location. It becomes very difficult for law enforcement to track, especially if you’re going across multiple counties.”
Not everything is for sale on the dark web
We’ve spent a lot of time talking about drugs here for a reason. Smith calls narcotics “the physical cornerstone” of the dark web; “cybercrime—selling exploits and vulnerabilities, web application attacks—that’s the digital cornerstone. Basically, I’d say a majority of the darknet is actually just drugs and kids talking about little crimes on forums.”
Some of the scarier sounding stuff you hear about being for sale often turns out to be largely rumors. Take firearms, for instance: as Smith puts it, “it would be easier for a criminal to purchase a gun in real life versus the internet. Going to the darknet is adding an extra step that isn’t necessary in the process. When you’re dealing with real criminals, they’re going to know someone that’s selling a gun.”
Specific niches are in
Still, there are some very specific darknet niche markets out there, even if they don’t have the same footprint that narcotics does. One that Smith drew my attention to was the world of skimmers, devices that fit into the slots of legitimate credit and ATM card readers and grab your bank account data.
And, providing another example of how the darknet marries physical objects for sale with data for sale, the same sites also provide data manual sheets for various popular ATM models. Among the gems available in these sheets are the default passwords for many popular internet-connected models; we won’t spill the beans here, but for many it’s the same digit repeated five times.
It’s still mimicking the corporate world
Despite the crackdown on larger marketplaces, many dark web sites are still doing their best to simulate the look and feel of more corporate sites.
One odd feature of corporate software that has migrated to the dark web: the omnipresent software EULA. “A lot of times there’s malware I’m looking at that offers terms of services that try to prevent researchers from buying it,” he says. “And often I have to ask myself, ‘Is this person really going to come out of the dark and trying to sue someone for doing this?”https://www.csoonline.com/”
And you can use the dark web to buy more dark web
And, to prove that any online service can, eventually, be used to bootstrap itself, we have this final screenshot from our tour: a dark web site that will sell you everything you need to start your own dark web site.
Think of everything you can do there—until the next crackdown comes along.
The IoT is a grand vision as it ascribes the concept of millions of interconnected intelligent devices that can communicate with one another, and thereby control the world around us. Technically speaking, the smart grid can be considered to be an example of the IoT composed of embedded machines, which sense and control the behavior of the energy world. The IoT-driven smart grid is currently a hot area of research boosted by the global need to improve electricity access, economic growth of emerging countries, and the worldwide power plant capacity additions. GlobalData, a renowned consulting firm, forecasted that the global power transformer market is anticipated to increase from $10.3 billion in 2013 to $19.7 billion in 2020, with an astounding compound annual growth rate of 9.6 percent due to the phenomenal rise in energy demand in China, India and the Middle East. Therefore, it is the perfect time to invest research initiative, e.g., through our event, in the IoT-dominated smart grid sector.
In addition to its timeliness, the event comprises a broad range of interests. The theme invites ideas on how to achieve more efficient use of resources based largely on the IoT-based machine-to-machine (M2M) interactions of millions of smart meters and sensors in the smart grid specific communication networks such as home area networks, building area networks, and neighborhood area networks. The smart grid also encompasses IoT technologies, which monitor transmission lines, manage substations, integrate renewable energy generation (e.g., solar or wind), and utilize hybrid vehicle batteries. Through these technologies, the authorities can smartly identify outage problems, and intelligently schedule the power generation and delivery to the customers. Furthermore, the smart grid should teach us a valuable lesson that security must be designed in from the start of any IoT deployment. Since there is an alarming lack of standards to address the protection of the secret keys and/or the life-cycle security of the embedded smart grid devices, intruders could use conventional attack techniques to breach the security just as in any other IoT deployment.
The Internet of Things (IOT) is defined as billions of vehicles, buildings, process control devices, wearables, medical devices, drones, consumer/business products, mobile phones, tablets, and other “smart” objects that are wirelessly connecting to and communicating with each other. This new top law practice area is raising unprecedented legal and liability issues.
As one of the most transformative and fast-paced technology developments in recent years, IoT will require businesses, policymakers, and lawyers (M&A, IP, competition, litigation, health law, IT/outsourcing, and privacy/cybersecurity) to identify and address the escalating legal risks of doing business in a connected world.
Attend this institute to:
Discover why corporate, law firm, government, university, and other attendees gave the last two IoT Institutes rave reviews, calling it “magical,” “eye-opening,” with “rock star” speakers, and overall “a grand slam.”
Gain insights and practical guidance on the latest legal, legislative, regulatory, and liability issues of the IoT transformation—a game-changer for businesses, policymakers, and lawyers that’s generating hundreds of billions of dollars in spending globally.
Explore need-to-know IoT hot topics: big data/ privacy, cybersecurity, litigation/mitigation, cloud/artificial intelligence, connected healthcare, ethics, global IoT product development and sales, insurance risk allocation, and homeland/national security.
Cyber-physical and smart embedded systems, already highly networked, will be even more connected in the near future to form the Internet of Things, handling large amount of private and safety critical data. The pervasive diffusion of these devices will create several threats to privacy and could open new possibilities for attackers, since the security of even large portions of the Internet of Things could be harmed by compromising a reduced number of components. The possibility of securely updating devices should be guaranteed and it should be possible to verify and assert the root of trust of components. With respect to this context we expect contributions in different areas of security in Internet of Things. Topics of the workshop include but are not limit to:
– Malicious firmware design and detection
– Malware in Internet of Things applications
– Hardware root of trust
– Privacy issues of smart-home systems and complex systems
– Hardware Trojans and their effects on systems
– Hardware authentication and IP protection
– Secure communication and key-management
– Implementation attacks and countermeasures
– Emerging threats and attack vectors in the Internet of Things
– Supply chain security
Source: National Cyber Security – Produced By Gregory Evans The iPod, Facebook, “smart” televisions: the 21st century has seen a host of innovations that have transformed the way we live. The rise of the so called internet of things, or IoT, is another technological development that is starting to become an increasingly common presence in our […]
View full post on AmIHackerProof.com | Can You Be Hacked?
National Cyber Security Awareness Month (NCSAM) is in full swing. The month and its events have become top of mind for people and businesses in recent years, given the staggering number of recent data breaches and global ransomware attacks. The Equifax data breach, WannaCry ransomware and Petya/NotPetya attacks have dominated the news headlines. So, where…