## Archive for the ‘IoT – Internet of Things’ Category

### Confirmation: Internet of Things As Hacking Avenue

Tuesday, March 7th, 2017

I mentioned in the Internet of Things (IoT) in Reading the Unreadable SROM: Inside the PSOC4 [Hacking Leader In Internet of Things Suppliers] as a growing, “Compound Annual Growth Rate (CAGR) of 33.3%,” source of cyber insecurity.

Today, Bill Brenner writes:

WikiLeaks’ release of 8,761 pages of internal CIA documents makes this much abundantly clear: the agency has built a monster hacking operation – possibly the biggest in the world – on the backs of the many internet-connected household gadgets we take for granted.

That’s the main takeaway among security experts Naked Security reached out to after the leak went public earlier Tuesday.

I appreciate the confirmation!

Yes, the IoT can and is being used for government surveillance.

At the same time, the IoT is a tremendous opportunity to level the playing field against corporations and governments alike.

If the IoT isn’t being used against corporations and governments, whose fault is that?

That’s my guess too.

### A Monitor Darkly:… [An IoT in your monitor?]

Tuesday, August 9th, 2016

A Monitor Darkly: Reversing and Exploiting Ubiquitous On-Screen-Display Controllers in Modern Monitors by Ang Cui, Jatin Kataria, Francois Charbonneau.

Abstract:

There are multiple x86 processors in your monitor! OSD, or on-screen-display controllers are ubiquitous components in nearly all modern monitors. OSDs are typically used to generate simple menus on the monitor, allowing the user to change settings like brightness, contrast and input source. However, OSDs are effectively independent general-purpose computers that can: read the content of the screen, change arbitrary pixel values, and execute arbitrary code supplied through numerous control channels. We demonstrate multiple methods of loading and executing arbitrary code in a modern monitor and discuss the security implication of this novel attack vector.

We also present a thorough analysis of an OSD system used in common Dell monitors and discuss attack scenarios ranging from active screen content manipulation and screen content snooping to active data exfiltration using Funtenna-like techniques. We demonstrate a multi-stage monitor implant capable of loading arbitrary code and data encoded in specially crafted images and documents through active monitor snooping. This code infiltration technique can be implemented through a single pixel, or through subtle variations of a large number of pixels. We discuss a step-by-step walk-through of our hardware and software reverse-analysis process of the Dell monitor. We present three demonstrations of monitoring exploitation to show active screen snooping, active screen content manipulation and covert data exfiltration using Funtenna.

Lastly, we discuss realistic attack delivery mechanisms, show a prototype implementation of our attack using the USB Armory and outline potential attack mitigation options. We will release sample code related to this attack prior to the presentation date.

This hack is surprising only in that discussions of the insecurity of the Internet of Things (IoT) have failed to mention the mini-Internet of Things sitting on our desktops.

The video of the presentation isn’t up on the BlackHat YouTube channel, yet. But check back.

### Sex Toy Privacy Incentive For A Safer IoT?

Friday, March 18th, 2016

Will sex toys provide the incentive for a safer Internet of Things (IoT)?

Robert Abel reports in Bad vibes: Researcher hacks sex toy of a live demonstration of a hack on a sex toy.

Robert also reports that no user personal information was disclosed by this particular hack, the same may not be true for all IoT sex toys or hacks.

Is sex toy privacy enough of an incentive for better IoT security? 😉

### Wait until he is in an ambulance, then we’ll get him…

Saturday, March 12th, 2016

The Facts Are In: Ambulances vulnerable to hackers

From the post:

Reports from multiple sources lead to a horrible conclusion. Almost all ambulances are vulnerable to hacking.

There are many compelling reasons for ambulances to be connected and computerized. Emergency responders can take advantage of connectivity to learn more about patients and use that info to deliver better emergency care. And patient status can be communicated to emergency rooms to better prepare for response. This is a life-saving capability.

But you can tell what can go wrong, right?

The Threat Brief calls out three reports that all reach the same conclusion: ambulances can be hacked.

The details remain an exercise for readers but that is likely just a matter of time.

Easy to imagine an online vulnerability store where you enter year, make/model and you are supplied with the latest hacks for that vehicle.

I wonder if the DARPA Improv competition will have many of these?

### Internet of Things (Nissan LEAF) – Be Afraid, Be Sore Afraid

Saturday, February 27th, 2016

Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs

From the post:

Last month I was over in Norway doing training for ProgramUtvikling, the good folks who run the NDC conferences I’ve become so attached to. I was running my usual “Hack Yourself First” workshop which is targeted at software developers who’d like to get up to speed on the things they should be doing to protect their apps against today’s online threats. Across the two days of training, I cover 16 separate discrete modules ranging from SQL injection to password cracking to enumeration risks, basically all the highest priority security bits modern developers need to be thinking about. I also cover how to inspect, intercept and control API requests between rich client apps such as those you find on a modern smart phone and the services running on the back end server. And that’s where things got interesting.

One of the guys was a bit inspired by what we’d done and just happened to own one of these – the world’s best-selling electric car, a Nissan LEAF:

What the workshop attendee ultimately discovered was that not only could he connect to his LEAF over the internet and control features independently of how Nissan had designed the app, he could control other people’s LEAFs. I subsequently discovered that friend and fellow security researcher Scott Helme also has a LEAF so we recorded the following video to demonstrate the problem. I’m putting this up front here to clearly put into context what this risk enables someone to do then I’ll delve into the details over the remainder of the post:

Troy Hunt, located in Australia, controls a Nissan LEAF located in Norther England via a web browser.

Heater on/off, driving (trip) history), nothing more serious but worldwide accessibility via a VIN number is an odd design decision.

You won’t be able to try this on as Nissan is reported to have taken the service offline as of 25 February 2016.

Don’t be too disappointed. Bad design and implementation decisions are repeated over and over again. Perhaps you will find the next one first.

### Institutional Dementia At Big Blue?

Sunday, January 24th, 2016

Why over two-thirds of the Internet of Things projects will fail by Sushil Pramanick (Associate Partner, Consultative Sales, IoT Leader, IBM Analytics).

From the post:

When did you first become interested in the Internet of Things (IoT)? If you’re like me, you’ve probably been following the news related to the IoT for years. As technology lovers, I’ll bet we have a lot in common. We are intensely curious. We are problem-solvers, inventors and perhaps more than anything else, we are relentlessly dedicated to finding better answers to our everyday challenges. The IoT represents a chance for us—the thinkers—to move far beyond the limiting technologies of the past and to unlock new value, new insights and new opportunities.

In mid-2005, Gartner stated that over 50 percent of data warehouse projects failed due to lack of adoption with data quality issues and implementation failures. In 2012, this metric was further scaled back to fewer than 30 percent. The parallelism here is that the Internet of Things hype is similar to data warehouse and business intelligence hype two decades ago when many companies embarked on decentralized reporting and/or basic analytics solutions. The problem was that some companies tried to build in-house, large enterprise data warehouse platforms that were disconnected and inherently had integration and data quality issues. A decade later, 50 percent of these projects failed. Another decade later, another over 20 percent failed. Similarly, companies are now trying to embark on Internet of Things initiatives using very narrow, point-focused solutions with very little enterprise IoT strategy in place, and in some cases, engaging or building unproven solution architectures.

Project failure rates are hardly news. But I mention this to illustrate the failure of institutional memory at IBM.

It wasn’t that many years ago (2008) that IBM published a forty-eight page white paper, Making Change Work, that covers the same ground as Sushil Pramanick.

Do you think think “Consultative Sales, IBM Analytics” doesn’t talk to “IBM Global Business Services?”

Or is IBM’s institutional memory broken up by projects, departments, divisions, and communicated in part by formal documents but also by folklore, rumor and water fountain gossip?

A faulty institutional memory, with missed opportunities, duplicated projects, and a general failure to thrive, won’t threaten the existence of an IBM. At least not right away.

Can you say the same for your organization?

Interested?

### Searching For Sleeping Children? (IoT)

Sunday, January 24th, 2016

From the post:

Shodan, a search engine for the Internet of Things (IoT), recently launched a new section that lets users easily browse vulnerable webcams.

The feed includes images of marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores, according to Dan Tentler, a security researcher who has spent several years investigating webcam security.

“It’s all over the place,” he told Ars Technica UK. “Practically everything you can think of.”

We did a quick search and turned up some alarming results:
….

Just so you know, the images from webcams are a premium feature of Shodan.

As the insecure IoT continues to spread, coupling the latest face recognition software with webcam feeds and public image databases could be a viable service. Early warning for those seeking to avoid detection and video evidence for hoping for it.

Similar to detective agencies but on a web scale.

There are less obvious digital cameras with IP than the ones from Wowwee:

But most of them still scream “digital camera” in white with obvious lens, etc.

Porup reports that the FTC is attempting to be proactive about webcam security but penalties after a substantial number of insecure webcams appear won’t help those already exposed on the Internet.

### 50 Predictions for the Internet of Things in 2016 (Ebola Moment for Software Development?)

Monday, January 11th, 2016

From the post:

Earlier this year I wrote a piece asking “Do you believe the hype?” It called out an unlikely source of hype: the McKinsey Global Institute. The predictions for IoT in the years to come are massive. Gartner believes IoT is a central tenet of top strategic technology trends in 2016. Major technology players are also taking Big Swings. Louis Columbus, writing for Forbes, gathered all the 2015 market forecasts and estimates here.

So what better way to end the year and look into the future than by asking the industry for their predictions for the IoT in 2016. We asked for predictions aimed at the industrial side of the IoT. What new technologies will appear? Which companies will succeed or fail? What platforms will take off? What security challenges will the industry face? Will enterprises finally realize the benefits of IoT? We heard from dozens of startups, big players and industry soothsayers. In no particular order, here are the Internet of Things Predictions for 2016.

I count nine (9) statements from various industry leaders on IoT and you have to register to see the other forty-one (41).

I don’t have a prediction but do have a question:

Will an insecure IoT in 2016 cause enough damage to motivate better hardware/software engineering and testing practices?

I ask because 2015 was a banner year for data breaches, Data Breach Reports (ITRC), December 31, 2015, reports 169,068,506 records exposed in 2015.

Yes, yes, let’s have more penalties for hackers, which have yet to be shown to improve cybersecurity.

Yes, yes, let’s all be more aware of security threats, except that most can’t be mitigated by those aware of them.

Apparently the exposure of 169,068,506 records in 2015 wasn’t enough to get anyone’s attention. Or at least anyone who could influence the software development process.

Odd because just the rumor of Ebola was enough to change the medical intake procedures from hospitals, to general practices to dentists.

When is the Ebola moment coming for software engineering?

### IoT: The New Tower of Babel

Thursday, December 10th, 2015

Luke Anderson‘s post at Clickhole, titled: Humanity Could Totally Pull Off The Tower Of Babel At This Point, was a strong reminder of the Internet of Things (IoT).

See what you think:

If you went to Sunday school, you know the story: After the Biblical flood, the people of earth came together to build the mighty Tower of Babel. Speaking with one language and working tirelessly, they built a tower so tall that God Himself felt threatened by it. So, He fractured their language so that they couldn’t understand each other, construction ceased, and mankind spread out across the ancient world.

We’ve come a long way in the few millennia since then, and at this point, humanity could totally pull off the Tower of Babel.

Just look at the feats of human engineering we’ve accomplished since then: the Great Wall; the Golden Gate Bridge; the Burj Khalifa. And don’t even get me started on the International Space Station. Building a single tall building? It’d be a piece of cake.

Think about it. Right off the bat, we’d be able to communicate with each other, no problem. Besides most of the world speaking either English, Spanish, and/or Chinese by now, we’ve got translators, Rosetta Stone, Duolingo, the whole nine yards. Hell, IKEA instructions don’t even have words and we have no problem putting their stuff together. I can see how a guy working next to you suddenly speaking Arabic would throw you for a loop a few centuries ago. But now, I bet we could be topping off the tower and storming heaven in the time it took people of the past to say “Hey, how ya doing?”

Compare this Internet of Things statement from the Masters of Contracts that Yield No Useful Result:

IoT implementation, at its core, is the integration of dozens and up to tens of thousands of devices seamlessly communicating with each other, exchanging information and commands, and revealing insights. However, when devices have different usage scenarios and operating requirements that aren’t compatible with other devices, the system can break down. The ability to integrate different elements or nodes within broader systems, or bringing data together to drive insights and improve operations, becomes more complicated and costly. When this occurs, IoT can’t reach its potential, and rather than an Internet of everything, you see siloed Internets of some things.

The first, in case you can’t tell from it being posted at Clickhole, was meant as sarcasm or humor.

The second was deadly serious from folks who would put a permanent siphon on your bank account. Whether their services are cost effective or not is up to you to judge.

The Tower of Babel is a statement about semantics and the human condition. It should come as no surprise that we all prefer our language over that of others, whether those are natural or programming languages. Moreover, judging from code reuse, to say nothing of the publishing market, we prefer our restatements of the material, despite equally useful statements by others.

How else would you explain the proliferation of MS Excel books? 😉 One really good one is more than enough. Ditto for Bible translations.

Creating new languages to “fix” semantic diversity just adds another partially adopted language to the welter of languages that need to be integrated.

The better option, at least from my point of view, is to create mappings between languages, mappings that are based on key/value pairs to enable others to build upon, contract or expand those mappings.

It simply isn’t possible to foresee every use case or language that needs semantic integration but if we perform such semantic integration as returns ROI for us, then we can leave the next extension or contraction of that mapping to the next person with a different ROI.

It’s heady stuff to think we can cure the problem represented by the legendary Tower of Babel, but there is a name for that. It’s called hubris and it never leads to a good end.

Monday, December 7th, 2015

For years the Chicken Little‘s of infrastructure security have been warning of nearly impossible cyber-attacks on utilities and other critical infrastructure.

Despite nearly universal scorn from security experts, once those warning are heard, they are dutifully repeated by a non-critical press and echoed by elected public officials.

Despite not having been insecure originally, the Internet of Things is catching up to infrastructure and making what was once secure, insecure.

From the post:

Users of Honeywell’s Midas and Midas Black gas detectors are being urged to patch their firmware to protect against a pair of critical, remotely exploitable vulnerabilities.

These extremely serious vulnerabilities, found by researcher Maxim Rupp and reported by ICS-CERT (the Industrial Control Systems Cyber Emergency Response Team) in advisory ICSA-15-309-02, are simple enough to be exploited by an “attacker with low skill”:

Successful exploitation of these vulnerabilities could allow a remote attacker to gain unauthenticated access to the device, potentially allowing configuration changes, as well as the initiation of calibration or test processes.

…These vulnerabilities could be exploited remotely.

…An attacker with low skill would be able to exploit these vulnerabilities.

So, how bad is the problem?

You judge:

Midas and Midas Black gas detectors are used worldwide in numerous industrial sectors including chemical, manufacturing, energy, food, agriculture and water to:

…detect many key toxic, ambient and flammable gases in a plant. The device monitors points up to 100 feet (30 meters) away while using patented technology to regulate flow rates and ensure error-free gas detection.

The vulnerabilities could allow the devices’ authentication to be bypassed completely by path traversal (CVE-2015-7907) or to be compromised by attackers grabbing an administrator’s password as it’s transmitted in clear text (CVE-2015-7908).

That’s still not a full picture of the danger posed by these vulnerabilities. Take a look at the sales brochure on the Midas Gas Detector and you will find this chart of the “over 35 gases” the Midas Gas Detector can detect:

Several nasty gases on the list, Ammonia (caustic, hazarous), Arsine (highly toxic, flammable), Chlorine (extremely dangerous, poisonous for all living organisms), Hydrogen cyanide, and Hydrogen flouride (“Hydrogen fluoride is a highly dangerous gas, forming corrosive and penetrating hydrofluoric acid upon contact with living tissue. The gas can also cause blindness by rapid destruction of the corneas.”)

Bear in mind that patch application doesn’t have an encouraging history: Potent, in-the-wild exploits imperil customers of 100,000 e-commerce sites

Honeywell has put the detection of extremely dangerous gases, at the mercy of script kiddies.

Suggestion: If you worn on-site where Midas Gas Detectors may be in use, inquire before setting foot on the site if they are using Midas Gas Detectors of the relevant models and whether they are patched?

Bear in mind that the risk of “…corrosive and penetrating hydrofluoric acid upon contact with living tissue…” is your in some situations. I would ask first.

### IoT: Move Past the Rhetoric and Focus on Success

Monday, December 7th, 2015

Move Past the Rhetoric and Focus on Success

A recent missive from Booz Allen on the Internet of Things.

Two critical points that I want to extract for your consideration:

New Models for Security

The proliferation of IoT devices drastically increases the attack surface and creates attractive, and sometimes easy, targets for attackers. Traditional means of securing networks will no longer suffice as attack risks increase exponentially. We will help you learn how to think about security in an IoT world and new security models.

[page 4]

You have to credit Booz Allen with being up front about “…attack risks increas[ing] exponentially.” Considering that “Hello Barbie” has an STD on her first Christmas.

Do you have a grip on your current exposure to cyber-risk? What is that going to look like when it increases exponentially?

I’m not a mid-level manager but I would be wary of increasing cyber-risk exponentially, especially without a concrete demonstration of value add from the Internet-of-Things.

The second item:

Interoperability is Key to Everything

IoT implementations typically contain hundreds of sensors embedded in different “things”, connected to gateways and the Cloud, with data flowing back and forth via a communication protocol. If each node within the system “speaks” the same language, then the implementation functions seamlessly. When these nodes don’t talk with each other, however, you’re left with an Internet of one or some things, rather than an Internet of everything. [page 4]

IoT implementation, at its core, is the integration of dozens and up to tens of thousands of devices seamlessly communicating with each other, exchanging information and commands, and revealing insights. However, when devices have different usage scenarios and operating requirements that aren’t compatible with other devices, the system can break down. The ability to integrate different elements or nodes within broader systems, or bringing data together to drive insights and improve operations, becomes more complicated and costly. When this occurs, IoT can’t reach its potential, and rather than an Internet of everything, you see siloed Internets of some things.

Haven’t we seen this play before? Wasn’t it called the Semantic Web? I suppose now called the Failed Semantic Web (FSW)?

Booz Allen would be more forthright to say, “…the system is broken down…” rather than “…the system can break down.”

I can’t think of a better way to build a failing IoT project than to presume that interoperability exists now (or that it is likely to exist, outside highly constrained circumstances).

Let’s take a simpler problem than everything and limit it to interchange of pricing data in the energy market. As you might expect, there is a standard, a rather open one, on that topic: Energy Market Information Exchange (EMIX) Version 1.0.

That specification is dated 11 January of 2012, which means on 11 January 2016, it will be four years old.

As of today, a search on “Energy Market Information Exchange (EMIX) Version 1.0” produces 695 “hits,” but 327 of them are at Oasis-open.org, the organization where a TC produced this specification.

Even more interesting, only three pages of results are returned with the notation that beyond 30 results, the rest have been suppressed as duplicates.

So, at three years and three hundred and thirty days, Energy Market Information Exchange (EMIX) Version 1.0 has thirty (30) non-duplicate “hits?”

I can’t say that inspires me with a lot of hope for impact on interoperability in the U.S. Energy Market. Like the work Booz Allen cites, this too was sponsored by NIST and the DOE (EISA).

One piece of advice from Booz Allen is worth following:

Start Small

You may actually have IoT implementations within your organization that you aren’t aware of. And if you have any type of health wearable, you are actually already participating in IoT. You don’t have to instrument every car, road, and sign to have an Internet of some things. [page 10]

Building the Internet of Things for everybody should not be on your requirements list.

An Internet of Some Things will be your things and with proper planning it will improve your bottom line. (Contrary to the experience with the Semantic Web.)

### Internet of Things (IoT) and More $Free Porn Wednesday, October 7th, 2015 Every day brings new reports of digital data breaches. Security for the Internet of Things (IoT) is being discussed, but in light of the drum roll of breaches, there is very little confidence the IoT will be any more secure than present IT systems. That being the case and by way of forewarning, unplug your webcam when you are not using it. Insecurity in the Internet of Things (IoT) will geometrically increase the amount of$free porn on the Internet.

Amateur porn to be sure but instead of being people you are unlikely to meet, this could be the couple next door, or down the block, your doctor or pharmacist, perhaps even your spouse.

If you don’t believe me, check out: Cyber hacker hijacked webcams to spy on people having sex by David Wells.

From the story:

A cyber criminal hijacked computers to spy on people having sex through their webcams, the National Crime Agency (NCA) has said.

Stefan Rigo, 33, used malware called Blackshades to give him control over strangers’ cameras and spent five to 12 hours a day watching what they were doing in front of their computers.

The NCA said he was addicted to monitoring his victims, some of whom he knew and some who were complete strangers.

Rigo was given a 40-week suspended prison sentence, placed on the Sex Offenders Register for seven years and ordered to do 200 hours of unpaid work by magistrates in Leeds after he admitted voyeurism at a previous hearing, the agency confirmed.

Well, there’s a deterrent, “200 hours of unpaid work.” 😉

Looking forward to cellphone apps for finding vulnerable webcams, streaming them live to public or private accounts, just a tap away from $free porn. Of course, you may also see people doing things that are illegal in your jurisdiction and not just sexually illegal things. Wondering how the police will react to major drug deals being caught via an “ISpy” app for a cellphone and streamed to the Internet? For those of you who have never deliberately disconnected anything from the Internet, I include this illustration: Yep, that’s how its done. You do have to remember to “reconnect” (another new word) it. The upside is that you will be safe from strangers watching you have sex and/or commit crimes or indiscretions in the privacy of your own home. They may be able to hear or monitor you through one or more other IoT devices but they won’t have video. If that makes you feel any better. ### 1,002 Things To Do With Your Drone Tuesday, August 18th, 2015 You saw Code.org Facebook post last January referring to Drones Will Be Everywhere Watching, Listening, and…Planting Millions of Trees? as “1.001 uses for drones.” Here is use #1,002: From the post: Security researchers have developed a Flying Drone with a custom-made tracking tool capable of sniffing out data from the devices connected to the Internet – better known as the Internet-of-things. Under its Internet of Things Map Project, a team of security researchers at the Texas-based firm Praetorian wanted to create a searchable database that will be the Shodan search engine for SCADA devices. #### Located More Than 1600+ Devices Using Drone To make it possible, the researchers devised a drone with their custom built connected-device tracking appliance and flew it over Austin, Texas in real time. During an 18 minute flight, the drone found nearly 1,600 Internet-connected devices, of which 453 IoT devices are made by Sony and 110 by Philips. You can see the full Austin map here. The map of Austin is way cool! What IoT map do you want to create? Which reminds me, how do you defend against the intrusion of a drone? According to the Wall Street Journal, your options are limited and expensive. I didn’t see the IoT scanning drone at Praetorian in either finished or kit form. But I expect IoT scanning drones on the virtual shelves of online retailers long before the holiday season of 2015. You will be able to spot popular holiday shopping venues by the clouds of drones sniffing for vulnerable automobiles. PS: Give the military a couple of years to get into the IoT. Flying an IoT sniffing drone over the Pentagon should be a real hoot. ### Who is in Charge of Android Security? Wednesday, August 5th, 2015 Just the other day I posted Targeting 950 Million Android Phones – Open Source Security Checks?. Today my email had a link to: Nearly 90 percent of Android devices vulnerable to endless reboot bug by Allen Greenberg. Allen points to: Android MediaServer Bug Traps Phones in Endless Reboots by Wish Wu, which reads in part: We have discovered a new vulnerability that allows attackers to perform denial of service (DoS) attacks on Android’s mediaserver program. This causes a device’s system to reboot and drain all its battery life. In more a severe case, where a related malicious app is set to auto-start, the device can be trapped in an endless reboot and rendered unusable. The vulnerability, CVE-2015-3823, affects Android versions 4.0.1 Jelly Bean to 5.1.1 Lollipop. Around 89% of the Android users (roughly 9 in 10 Android devices active as of June 2015) are affected. However, we have yet to discover active attacks in the wild that exploit this vulnerability. This discovery comes hot on the heels of two other major vulnerabilities in Android’s media server component that surfaced last week. One can render devices silent while the other, Stagefright, can be used to install malware through a multimedia message. Wow! Three critical security bugs in Android in a matter of weeks. Which makes me ask the question: Who (the hell) is in Charge of Android Security? Let’s drop the usual open source answer to complaints about the software: “…well, if you have an issue with the software you should contribute a patch…” and wise up that commercial entities are making money off the Android “open source” project. People can and should contribute to open source projects but at the same time, commercial vendors should not foist avoidance of security bugs off onto the public. Commercial vendors are already foisting security bugs off on the public because so far, not for very much longer, they have avoided liability for the same. They simply don’t invest in the coding practices that would avoid the security bugs that are so damaging to enterprises and individuals alike. The same was true in the history of products liability. It is a very complex area of law that is developing rapidly and someday soon the standard EULA will fall and there will be no safety net under software vendors. There are obvious damages from security bugs and there are vendors who could have avoided the security bugs in the first place. It is only a matter of time before courts discover that the same bugs (usually unchecked input) is causing damages over and over again and that checking input avoids the bug in the majority of cases. Who can choose to check input or not? That’s right, the defendant with the deep pockets, the software vendor. Who is in charge of security for your software? PS: I mentioned the other day that the CVE database is available for download. That would be the starting point for developing a factual basis for known/avoidable bug analysis for software liability. I suspect that has been done and I am unaware of it. Suggestions? ### IoT Pinger (Wandora) Tuesday, July 28th, 2015 IoT Pinger (Wandora) From the webpage: This is an upcoming feature and is not included yet in the public release. The IoT (Internet of Things) pinger is a general purpose API consumer intended to aggregate data from several different sources providing data via HTTP. The IoT Panel is found in the Wandora menu bar and presents most of the pinger’s configuration options. The Pinger searches the current Topic Map for topics with an occurrence with Source Occurrence Type. Those topics are expected to correspond to an API endpoint defined by corresponding occurrence data. The pinger queries each endpoint every specified time interval and saves the response as an occurrence with Target Occurrence Type. The pinger process can be configured to stop at a set time using the Expires toggle. Save on tick saves the current Topic Map in the specified folder after each tick of the pinger in the form iot_yyyy_mm_dd_hh_mm_ss.jtm. Now there’s an interesting idea! Looking forward to the next release! ### The Internet of Things to take a beating in DefCon hacking contest Wednesday, May 6th, 2015 From the post: Hackers will put Internet-connected embedded devices to the test at the DefCon 23 security conference in August. Judging by the results of previous Internet-of-Things security reviews, prepare for flaws galore. This year, DefCon, the largest hacker convention in the U.S., will host a so-called IoT Village, a special place to discuss, build and break IoT devices. “Show us how secure (or insecure) IP-enabled embedded systems are,” a description of the new village reads. “Routers, network storage systems, cameras, HVAC systems, refrigerators, medical devices, smart cars, smart home technology, and TVs — if it is IP-enabled, we’re interested.” Def Con 23 August 6-9 at Paris & Bally’s in Las Vegas! The call for papers is open until May 26, 2015. This should be a real hoot! Enjoy! ### Open Access Journals in Ancient Studies Wednesday, May 6th, 2015 If you are interested in ancient studies, do visit Online Resources from ISAW (Institute for the Study of the Ancient World) at New York University. It is an exemplar of what scholarship should look like in the 21st century. ### Malware Kits for IoT? Wednesday, May 6th, 2015 From the post: On April 1st FireEye released a report on “MWI” and “MWISTAT” which is a sort of exploit kit for Word Documents if you will: A New Word Document Exploit Kit In the article FireEye goes over MWI which is the short for “Microsoft Word Intruder’ coded by an actor going by the handle ’Objekt’. MWI is a ‘kit’ for people to use for spreading malware. It can generate malicious word document exploiting any of the following CVE’s: • CVE-2010-3333 • CVE-2012-0158 • CVE-2013-3906 • CVE-2014-1761 The builder, named MWI, generates these documents which call back to a server to download malicious payloads. Together with the MWI builder the author has also released MWISTAT; a statistics backend and optional downloader component for MWI documents to track campaigns and spread of the documents. This post prompted me to look for malware kits for the Internet of Things (IoT). I didn’t find any with a quick search but did find several IoT malware stories that may be of interest: From the post: Don’t say we didn’t warn you. Bad guys have already hijacked up to 100,000 devices in the Internet of Things and used them to launch malware attacks, Internet security firm Proofpoint said on Thursday. It’s apparently the first recorded large-scale Internet of Things hack. Proofpoint found that the compromised gadgets—which included everything from routers and smart televisions to at least one smart refrigerator—sent more than 750,000 malicious emails to targets between December 26, 2013 and January 6, 2014. The Botnet of the Internet of Things by Waylon Grange. From the post: Last month we released our report on the Inception Framework and as part of that report outlined how a nation-state level attack compromised over 100 embedded devices on the Internet to use them as a private proxy to mask their identity. Since the release of the paper we have further discovered that the attackers not only targeted MIPS-el devices but also had binaries for ARM, SuperH, and PowerPC embedded processors. In light of this the 100 devices that we knew about is most likely only the tip of the iceberg and the total count was much, much more. This network of proxies was managed by a central backend that tunneled attacks through an ever-cycling list of compromised devices, thus changing the IP address their attacks came from every few minutes. The whole system for tracking which compromised devices were available and managing the change in proxies at regular intervals had to be a fairly complex system, but the benefit to the attackers was clear. No one entity would have full insight into their attacks, only portions of it and it is hard for investigators to put together a puzzle with only a handful of the pieces. This year your refrigerator may be a spam-bot and next year your toaster? Don’t know how I will feel getting a spam email with return address: Joe’s Toaster. Unfortunately, people who are concerned about IoT security, aren’t the ones building devices to become part of the IoT. Strict liability for losses, spamming, etc. due to IoT devices would go a long way towards generating concern among IoT device manufacturers. I didn’t find any malware kits for the IoT but I will keep looking. Until the IoT becomes more secure, I’m not sharing network access with my refrigerator or toaster. ### Sharing and the IoT? Monday, March 16th, 2015 Walter Adamson writes in Why the Internet of Things is about the data, not the ‘Thing’: Wouldn’t it also be nice if you could learn the following about yourself and your lifestyle: • when you haven’t had a good enough sleep to undertake hard physical exertion without risking more fatigue; • when you seem to have an identifiable chronic bad sleep pattern that needs attention from an expert; • when your heart is healthy, and when it is needing attention; • your level of real fitness, and how your activity patterns are changing it for better or worse; • your real level of exertion, and which exercises/activities give you best fitness benefits; • When you are in danger of over-exercising and weakening your immune system; • how you compare to your peers and community and what you can learn from them? ##### Sharing the data shares the goodness I’m sorry, I am old enough to have had any number of bad habits and poor lifestyle choices over the years. Deeply enjoyed all of them. The very last thing I needed was my watch, TV, or car whining at me about my choices. Adamson’s vision of the Internet of Things scenario is a nightmare where you may not live to be 100 but you will feel like it. PS: You should cultivate good health habits, in moderation, but be mindful that no one says on their death bed: “I’m sorry I had such a good time.” ### The internet of things and big data: Unlocking the power Sunday, March 8th, 2015 From the post: If you have somehow missed the hype, the IoT is a fast-growing constellation of internet-connected sensors attached to a wide variety of ‘things’. Sensors can take a multitude of possible measurements, internet connections can be wired or wireless, while ‘things’ can literally be any object (living or inanimate) to which you can attach or embed a sensor. If you carry a smartphone, for example, you become a multi-sensor IoT ‘thing’, and many of your day-to-day activities can be tracked, analysed and acted upon. Big data, meanwhile, is characterised by ‘four Vs‘: volume, variety, velocity and veracity. That is, big data comes in large amounts (volume), is a mixture of structured and unstructured information (variety), arrives at (often real-time) speed (velocity) and can be of uncertain provenance (veracity). Such information is unsuitable for processing using traditional SQL-queried relational database management systems (RDBMSs), which is why a constellation of alternative tools — notably Apache’s open-source Hadoop distributed data processing system, plus various NoSQL databases and a range of business intelligence platforms — has evolved to service this market. The IoT and big data are clearly intimately connected: billions of internet-connected ‘things’ will, by definition, generate massive amounts of data. However, that in itself won’t usher in another industrial revolution, transform day-to-day digital living, or deliver a planet-saving early warning system. As EMC and IDC point out in their latest Digital Universe report, organisations need to hone in on high-value, ‘target-rich’ data that is (1) easy to access; (2) available in real time; (3) has a large footprint (affecting major parts of the organisation or its customer base); and/or (4) can effect meaningful change, given the appropriate analysis and follow-up action. As we shall see, there’s a great deal less of this actionable data than you might think if you simply looked at the size of the ‘digital universe’ and the number of internet-connected ‘things’. On the question of business opportunities, you may want to look at: 5 Ways the Internet of Things Drives New$ Opportunities by Bill Schmarzo.

A graphic from the report summarizes those opportunities:

Select the image to see a larger (and legible) version. Most of the posts where I have encountered it leave it barely legible.

From the executive summary:

In 2013, only 22% of the information in the digital universe would be a candidate for analysis, i.e., useful if it were tagged (more often than not, we know little about the data, unless it is somehow characterized or tagged – a practice that results in metadata); less than 5% of that was actually analyzed. By 2020, the useful percentage could grow to more than 35%, mostly because of the growth of data from embedded systems.

Ouch! I had been wondering when the ships of opportunity were going to run aground on semantic incompatibility and/or a lack of semantics.