Almost three years ago, we published The Seven Properties of Highly Secured Devices, which introduced a new standard for IoT security and argued, based on an analysis of best-in-class devices, that seven properties must be present on every standalone device that connects to the internet in order to be considered secured. Azure Sphere, now generally available, is Microsoft’s entry into the market: a seven-properties-compliant, end-to-end product offering for building and deploying highly secured IoT devices.
Every connected device should be highly secured, even devices that seem simplistic, like a cactus watering sensor. The seven properties are always required. These details are captured in a new paper titled, Nineteen cybersecurity best practices used to implement the seven properties of highly secured devices in Azure Sphere. It focuses on why the seven properties are always required and describes best practices used to implement Azure Sphere. The paper provides detailed information about the architecture and implementation of Azure Sphere and discusses design decisions and trade-offs. We hope that the new paper can assist organizations and individuals in evaluating the measures used within Azure Sphere to improve the security of IoT devices. Companies may also want to use this paper as a reference, when assessing Azure Sphere or other IoT offerings. In this blog post, we discuss one issue covered in the paper: why are the 7 properties always required?
Why are the seven properties applicable to every device that connects to the internet?
If an internet-connected device performs a non-critical function, why does it require all seven properties? Put differently, are the seven properties required only when a device might cause harm if it is hacked? Why would you still want to require an advanced CPU, a security subsystem, a hardware root of trust, and a set of services to secure a simple, innocuous device like a cactus water sensor?
Because any device can be the target of a hacker, and any hacked device can be weaponized.
Consider the Mirai botnet, a real-world example of IoT gone wrong. The Mirai botnet involved approximately 150,000 internet-enabled security cameras. The cameras were hacked and turned into a botnet that launched a distributed denial of service (DDoS) attack that took down internet access for a large portion of the eastern United States. For security experts analyzing this hack, the Mirai botnet was distressingly unsophisticated. It was also a relatively small-scale attack, considering that many IoT devices will sell more than 150,000 units.
Adding internet connectivity to a class of device means a single, remote attack can scale to hundreds of thousands or millions of devices. The ability to scale a single exploit to this degree is cause for reflection on the upheaval IoT brings to the marketplace. Once the decision is made to connect a device to the internet, that device has the potential to transform from a single-purpose device to a general-purpose computer capable of launching a DDoS attack against any target in the world. The Mirai botnet is also a demonstration that a manufacturer does not need to sell many devices to create the potential for a “weaponized” device.
IoT security is not only about “safety-critical” deployments. Any deployment of a connected device at scale requires the seven properties. In other words, the function, purpose, and cost of a device should not be the only considerations when deciding whether security is important.
The seven properties do not guarantee that a device will not be hacked. However, they greatly minimize certain classes of threats and make it possible to detect and respond when a hacker gains a toehold in a device ecosystem. If a device doesn’t have all seven, human practices must be implemented to compensate for the missing features. For example, without renewable security, a security incident will require disconnecting devices from the internet and then recalling those devices or dispatching people to manually patch every device that was attacked.
Some of the seven properties, such as a hardware-based root of trust and compartmentalization, require certain silicon features. Others, such as defense in-depth, require a certain software architecture as well as silicon features like the hardware-based root of trust. Finally, other properties, including renewable security, certificate-based authentication, and failure reporting, require not only silicon features and certain software architecture choices within the operating system, but also deep integration with cloud services. Piecing these critical pieces of infrastructure together is difficult and prone to errors. Ensuring that a device incorporates these properties could therefore increase its cost.
These challenges led us to believe the seven properties also created an opportunity for security-minded organizations to implement these properties as a platform, which would free device manufacturers to focus on product features, rather than security. Azure Sphere represents such a platform: the seven properties are designed and built into the product from the silicon up.
Best practices for implementing the seven properties
Based on our decades of experience researching and implementing secured products, we identified 19 best practices that were put into place as part of the Azure Sphere product. These best practices provide insight into why Azure Sphere sets such a high standard for security. Read the full paper, Nineteen cybersecurity best practices used to implement the seven properties of highly secured devices in Azure Sphere, for the in-depth discussion of each of these best practices and how they—along with the seven properties themselves—guided our design decisions.
We hope that the discussion of these best practices sheds some additional light on the large number of features the Azure Sphere team implemented to protect IoT devices. We also hope that this provides a new set of questions to consider in evaluating your own IoT solution. Azure Sphere will continue to innovate and build upon this foundation with more features that raise the bar in IoT security.
To read previous blogs on IoT security, visit our blog series: https://www.microsoft.com/security/blog/iot-security/ Be sure to bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity
The post Cybersecurity best practices to implement highly secured devices appeared first on Microsoft Security.
Experts from Palo Alto Networks discovered that the Mirai and Hoaxcalls botnets are targeting a vulnerability in legacy Symantec Web Gateways.
Palo Alto Networks Unit 42 researchers observed both the Mirai and Hoaxcalls botnets using an exploit for a post-authentication Remote Code Execution vulnerability in legacy Symantec Web Gateways 184.108.40.206.
“I recently came across new Hoaxcalls and Mirai botnet campaigns targeting a post-authentication Remote Code Execution vulnerability in Symantec Secure Web Gateway 220.127.116.11, which is a product that became end-of-life (EOL) in 2015 and end-of-support-life (EOSL) in 2019.” reads the analysis published by Palo Alto Networks. “There is no evidence to support any other firmware versions are vulnerable at this point in time and these findings have been shared with Symantec.”
Symantec pointed out that the flaw has been fixed in Symantec Web Gateway 5.2.8 and that it doesn’t affect Secure Web Gateway solutions, such as ProxySG and Web Security Services.
Experts first observed the exploitation of the flaw in the wild on April 24, 2020, as part of an evolution of the Hoaxcalls botnet that was first discovered early of April. The botnet borrows the code from Tsunami and Gafgyt botnets, it expanded the list of targeted devices and added new distributed denial of service (DDoS) capabilities.
In the first week of May, the experts also spotted a Mirai variant using the same exploit, but this samples don’t contain any DDoS capabilities.
“they serve the purpose of propagation using credential brute force and exploitation of the Symantec Secure Web Gateway RCE vulnerability This blog post provides any noteworthy technical details on these two campaigns.” continues the report.
According to Unit 42, both the Mirai and Hoaxcalls botnets used payloads designed to discover and infect vulnerable devices. In the case of Mirai, the bot is able to propagate via either credential brute-forcing or exploitation of the Symantec Web Gateways exploit.
Experts note that the exploit is only effective for authenticated sessions and the affected devices are End of Life (EOL) from 2012.
“In the case of both campaigns, one can assume that their success with this exploit is limited by the post-authentication nature of the Symantec Secure Web Gateway RCE vulnerability.” concludes Palo Alto Networks.
The report published by Palo Alto Networks contains technical details about the botnet, including the Indicators of Compromise (IoCs)
(SecurityAffairs – Symantec Web Gateways, hacking)
The post Both Mirai and Hoaxcalls IoT botnets target Symantec Web Gateways appeared first on Security Affairs.
“I’m afraid people will remain the weakest link in security, and the vast majority of cybercriminals go after this lowest hanging fruit. It’s the least effort for the most reward.”
"There is no silver bullet with password security, but MFA comes close, it significantly reduces the risk of account compromise"
"The built-in biometric authentication capabilities of smartphones are a significant advancement for security"
"Cybercriminals go after this lowest hanging fruit, the least effort for the most reward."
"As technology becomes more secure and more difficult to defeat, it stands to reason criminals will increasingly target people more."
"The impact of the WannaCry ransomware outbreak on NHS IT systems is a recent example of such cyberattack which threatens lives."
"Machine Learning can provide real benefits, especially in large Security Operations Centres (SOC), by helping analysts breakdown the steady stream of data into actionable intelligence, reducing workload and false-positive errors"
"When I look at new technology today, I still seek to thoroughly understand how it works, naturally thinking about the weaknesses which could be exploited, and the negative impact of such exploits on the people and businesses using the technology. I developed a kind of a ‘hacker’s eye for business’"
More and more parents and their kids are experiencing what it’s like to work and learn together from home these days. With this increase in device use, it’s more important than ever to verify that all the technology humming under your roof is as secure as possible.
Securing family technology
Run an overall security check. Taking an inventory of all your family’s connected devices and their security should be as important as keeping your doors locked and keeping batteries in your smoke alarms — your family’s safety depends on it. Consider installing a comprehensive security solution across all devices. This will help protect your family against malware, viruses, phishing attacks, and alert you to malicious websites. As part of your security check, be sure to update the software on all devices, including IoT products, TVs, and toys.
Review parental controls. There’s no way around it. Device use will likely skyrocket under your roof for a while. Kids will be online for school, as well as for fun. You may have turned on some filtering on some devices and some social networks, but it may be time to bring on an extra set of eyes and ears with comprehensive filtering software. With increased tech use, parental controls will help monitor your child’s digital activity. Too, with a new work-at-home lifestyle, the software (with time limits) can also make scheduling family breaks together much more manageable.
Secure your home router. Your router is akin to your family’s front door, and now is a great time to change the locks (your passwords) on this critical entryway into your home. If you are reluctant to change your passwords or think its a hassle, consider the simplicity of a password manager. Using a password manager will make changing passwords easy to change and easy to keep track of, which can boost overall security. If you are working from home, make sure your home network aligns with your company’s security expectations. For specifics on business security, read this post on working securely from home.
Introduce a VPN (Virtual Private Network). If you’ve toyed with the idea of a VPN but just haven’t made a move, now is a great time. While you may not venture into public spaces much at the present moment, a VPN will add a significant layer of security on your devices if you take a break and go to a public park or if your kids need to go online while at a friend’s. Explain VPN benefits to your kids and how to log on. It’s easy, it’s smart, and it’s secure.
Securing your family bond
Create a schedule that works for everyone. Your home network is likely working on overdrive by now. With the extra online schooling, devices, and video calls taking place, your bandwidth may start to lag. This is because residential internet doesn’t rival business internet. Discuss a schedule for online time and the challenge of accomplishing mutual deadlines each day. Respect and honor one another’s responsibilities. If you’ve never had the chance to talk about the specifics of your job and daily tasks, maybe this is your chance.
Acknowledge the stress of uncertainty. There are feelings — lots of feelings — that accompany change, and everyone’s response to it will vary. Shifting into an abrupt, new routine may feel confusing and confining to a child of any age and cause anxiety and emotions to run high. Talk through these feelings together as often as needed. Acknowledge your child’s losses — connection with teachers, sports, friends, events — and offer empathy and support.
Explore new possibilities — together. No doubt, considerable shifts in a family’s routine can be stressful. Even so, there’s opportunity woven throughout every challenge. With some extra time management, it’s possible to discover some hidden opportunities and adventures along the way. Hiking, canoeing, and exploring the outdoors could become a new love for your family. Watching movie classics together, learning a new skill online, building something, or tackling overdue projects together may open up a new, shared passion. Endless possibilities await.
Balance work, health, and family. Nothing will undermine your efforts to work from home more than a skewed work-life balance or school-life (yes, kids can go overboard too)! A recent study shows that remote workers are more productive than office workers and spend more time at their desks. For balance, consider setting firm office/school hours (for both you and the kids), taking exercise breaks throughout the day, and getting an accountability partner to help you stay on track. And, don’t forget — lots of eyes are watching you always — so modeling work-life-and-technology balance for your kids is teaching them with the same value.
It’s a new frontier parent, but with the right tools and the proper support around you, anything is possible. Stay healthy, stay happy, and stay secure in this new remote, family adventure.
The post Honey, We’re Home! Securing Your Devices and Your Family Bond appeared first on McAfee Blogs.
Redcar and Cleveland Borough Council became the latest UK organisation to become the victim of a mass ransomware attack which started on 8th February. The north-east Council's servers, PCs, mobile devices, websites and even phone lines have been down for three weeks at the time of writing. A Redcar and Cleveland councillor told the Guardian it would take several months to recover and the cost is expected to between £11m and £18m to repair the damage done. A significant sum for the cash-strapped council, which confirmed their outage as ransomware caused 19 days after the attack. The strain of ransomware involved and the method initial infiltration into the council's IT systems has yet to be confirmed.
The English FA shut down its investigation into allegations Liverpool employees hacked into Manchester City's scouting system. The Manchester club also made news headlines after UEFA banned it from European competition for two years, a ban based on alleged stolen internal email evidence obtained by a hacker. Read The Billion Pound Manchester City Hack for further details.
The UK government said GRU (Russian military intelligence) was behind a massive cyber-attack which knocked out more than 2,000 websites in the country of Georgia last year, in "attempt to undermine Georgia's sovereignty". Foreign Secretary Dominic Raab described it as "totally unacceptable".
The United States deputy assistant secretary for cyber and communications, Robert Strayer, said he did not believe the UK government's January 2020 decision to allow Huawei limited access to UK's 5G infrastructure was final. 'Our understanding is that there might have been some initial decisions made but conversations are continuing," he told the BBC. Read The UK Government Huawei Dilemma and the Brexit Factor for more on UK government's Huawei political, economic and security debate.
Following Freedom of Information requests made by Viasat, it reported UK government employees had either lost or stolen 2,004 mobiles and laptops between June 2018 and June 2019.
According to figures by the FBI, cybercriminals netted £2.7bn ($3.5bn) from cyber-crimes report 2019, with phishing and extortion remaining the most common method of scamming people. These FBI reported cybercrime losses have tripled over the past 5 years. The FBI concluded that cyber scam techniques are becoming more sophisticated, making it harder for original people to tell "real from fake". A new Kaspersky report backs up the FBI, finding a 9.5% growth in financial phishing during the final quarter of 2019.
The Labour party is facing data protection fines of up £15m for failing to protect their members' personal data. The Information Commissioner's Office confirmed the Labour Party would be the focus of their investigation since it is legally responsible for securing members' information as the "data controller".
If you have a 'Ring' smart camera doorbell (IoT) device then may have noticed Two-Factor Authentication (2FA) was mandated in February. Ring's stance of enforcing a strengthening of security may be related to several recent high-profile home camera hack reports.
The facial recognition company Clearview AI advised a hacker stole its client list database. The firm works with law enforcement agencies and gained notoriety after admitting it had scrapped billions of individuals photos off the internet.
- The Billion Pound Manchester City Hack
- Keys to the Kingdom, Smart Cities Security Concerns
- Cyber Security Roundup for February 2020
- Redcar Council took down by Ransomware Attack: Council using Pen and Paper for 3 weeks and counting
- US Cyber-Boss tells the UK to 'think again' on Huawei
- MGM Hack Exposes Personal Data of 10.6 million Guests on Hacking Forum
- UK says Russia's GRU behind Massive Georgia Cyber-Attack
- Cybercrime Profits reached £2.7bn from Cybercrimes reported to FBI alone in 2019
- ISS World Hack leaves Thousands of Employees Offline
- Sports Retail Giant Decathlon Leaks 123 Million Records via a Misconfigured database
- Thousands of Mobiles and Laptops lost by the UK Government in a Year
- The United States charges Chinese Military Hackers with Equifax Breach
- Data Breach hits Agency overseeing White House Communications
- Labour could be fined up to £15m for failing to Protect Members’ Data
- The FA shutdown probe on claims of Liverpool FC Hacking Manchester City’s Youth Scouting System
- Ring Mandates MFA Logins
- Clearview AI Facial-Recognition has Client list Stolen
- Microsoft Patches 99 Vulnerabilities, including 13 Critical for Windows, IE. ChakraCore, and Flash
- Microsoft Patches IE Vulnerability being Exploited in the Wild
- Flaw in Philips Smart Light Bulbs Exposes WiFi Network to Hackers
- Adobe Patch Tuesday: Critical vulnerabilities in Flash Player, Framemaker Patched
- Adobe, VMWare issue Patches for Critical Vulnerabilities a week after Patch Tuesday
- Adobe Patches Critical Magento Security Vulnerabilities
- Critical Vulnerability Found in IBM ServeRAID Manager
- Google issues Chrome Update Patching to Zero Day
- Google Patches Bluetooth Vulnerability impacting most Android devices
- Critical Flaw in OpenSMTPD Found and Patched
- Cisco issues 17 Security Updates
- Five High-Level Flaws Patched in Cisco Discovery Protocol
- Dell Patches SupportAssist Vulnerability
- Mozilla issues Patches for Firefox 73, Firefox ESR 68.5 and Thunderbird 68.5
- Microsoft Exchange Servers Open to Remote Hacking due to Major Flaw
- TA505 Phishing Campaign uses HTML redirectors to Spread Info Stealer
- Metamorfo Banking Malware Spreads around the World
- Hidden Cobra adds to its Malware Arsenal: CISA
- Phishers using Strong Tactics and Poor Bait in Office 365 Scam
- Emotet Now Using Wi-Fi To Spread Malware
- Android Banking Trojan steals Google Two-Factor Authentication codes
- Unpatched VPN Servers Hit by Apparent Iranian APT Groups
- Detecting Ryuk Ransomware
- Nominet CISO Stress Report
- Financial Phishing grew by 9.5% during Holiday Shopping Season
In the US, for example cities like Philadelphia, Newark and Chicago all have goals to upgrade and to become leading ‘SMART’ cities, while UK innovation is being spearheaded by major conurbations such as Bristol, London and Manchester.
When connectivity and innovation meet such large city infrastructures, they immediately become vulnerable to cyber threats from malicious actors waiting to bring all that hard work to a standstill. And, the routes in are manifold.
We are increasingly dealing with connected versions of devices that have existed for a long time, such as CCTV cameras, and as a consequence, digital security is not very often incorporated into their designs.
In addition, cybersecurity will have to extend far past personal, or internal corporate networks, to encompass far-ranging technological protection for vast city networks at a scale and a pace many are struggling to respond to.
Moreover, the sheer volume of data being collected and transmitted across a multi-user network, with numerous locations, can be extremely challenging to protect. London’s City Hall Datastore, for example, holds over 700 sets of big data that helps address urban challenges and improve public services, and the rise in cashless payment methods for transport.
It is the complexity that the above factors represent that often overwhelms a network security team’s ability to ensure sensitive data is protected with encryption, especially when network infrastructures can be constructed using different vendor technology, many of whom do not provide strong encryption. This also includes many municipalities who have older Legacy, third party or disaggregated networks.
It is therefore not a matter of if but when sensitive data may fall into the wrong hands. Network security teams have to ensure that any data breach must be detected immediately before the infection spreads from network system to network system, potentially shutting off critical services for thousands of companies, notwithstanding for those who reside in the City itself.
Providing the Keys
Choosing the right encryption solution is critical and can be key in mitigating damage caused by a data breach. Most cities find implementing these solutions disruptive and complex, especially for organisations that operate large and diverse networks. For example, manual configuration of encryption can lead to human error unknowingly exposing risk and managing multiple vendors can be burdensome and inefficient. Most importantly, network visibility is lost with many encryption solutions, which is a significant issue as it reduces the ability for security teams to detect and thwart malicious actors and cyber threats.
The vulnerabilities and threats associated with trying to protect large volumes of data moving across a vast multi-user network involves a security strategy that is simple, scalable and uncomplicated in order to avoid any disruption of critical infrastructure services provided to businesses or citizens, not to mention be compliant with governmental cybersecurity regulations and / or code of practices.
Whereas traditional Layer 2 & 3 encryption methods are often disruptive and complex, a Layer 4 solution enables encryption of data in transit independent of network applications and without having to move, replace or disrupt the network infrastructure. This is a significant savings in resources, time and budget.
In addition, network blind spots due to problems, outages, and cyber-criminals using encryption to conceal malware, increase network security risk and are potential regulatory compliance issues. According to a recent survey from Vanson Bourne[i], roughly two-thirds, or 67 percent, of organisations say that network blind spots are one of the biggest challenges they face when trying to protect their data.
With network monitoring one of the strongest defences against blind spots, Layer 4 encryption and encryption management tools offer network visibility by keeping a close and constant eye on network traffic. Network visibility tools allows existing applications and net performance tools to work after encryption is turned on without blinding the network.
Finally, adding in network observability allows smart cities to analyse and gain deeper understanding of network policy deployment and policy enforcement by scrutinising every application that tries to communicate across the network, all the while monitoring pathways for potential threats now that each policy is observable in real-time.
For organisations and teams tasked with implementing smart technology in residential, commercial and public spaces, plans on how to do so will have to be part of the design and planning stage – including how we securely implement and maintain these smart spaces. It is integral that all connected aspects of smart cities have undergone extensive planning and designing, with a smart city architecture for service key management at the core. Defining standards and enforceable policies that can be analysed to help identify network vulnerabilities and thwart potential threats is critical.
Providing better technology is an ever-evolving, fast-paced race and caution should be given to those cities who move so fast that they risk building an infrastructure without equally giving precedence to the protection of data of those who work and live in their city.
Another Consumer Electronics Show (CES) has come and gone. Every year, this trade show joins practically everyone in the consumer electronics industry to show off the latest and greatest cutting-edge innovations in technology. From bendable tablets to 8k TVs and futuristic cars inspired by the movie “Avatar,” CES 2020 did not disappoint. Here are a few of the key takeaways from this year’s show:
Smart home technology is driven by convenience
As usual, smart home technology made up a solid portion of the new gadgets introduced at CES. Netatmo introduced the Netatmo Smart Door Lock and Keys which use physical NFC (meaning near field communication, a technology that allows devices to communicate with each other) keys as well as digital keys for guests. In the same realm of home security, Danby’s smart mailbox called the Parcel Guard allows couriers to deliver packages directly into the anti-theft box using a code or smartphone app.
Devices integrated with Alexa technology
CES 2020 also introduced many devices integrated with Alexa technology. Kohler debuted its Moxie showerhead, complete with an Alexa-enabled waterproof Bluetooth speaker. Along with the showerhead, Alexa was also built into a Dux Swedish luxury bed to help improve users’ bedtime routines.
CES is usually graced with a handful of smart appliances, and this year was no different. Bosch partnered with the recipe and meal-planning app Chefling to showcase its high-tech Home Connect Refrigerator, which uses cameras to track which food items users have stocked and suggests recipes based on that information.
Mind-reading wearables translate thoughts into digital commands
CES featured several products that let users control apps, games, and devices with their minds. Companies have developed devices that can record brain signals from sensors on the scalp or devices implanted within the brain and translate them into digital signals. For example, NextMind has created a headset that measures activity in the visual cortex and translates the user’s decision of where to focus his or her eyes into digital commands. This technology could replace remote controls, as users would be able to change channels, mute, or pause just by focusing on triangles next to each command.
Another company focused on the brain-computer interface is BrainCo. This company debuted their FocusOne headband at CES this year, complete with sensors on the forehead measuring the activity in the frontal cortex. This device is designed to measure focus by detecting the subtle electrical signals that your brain is producing. These headbands are designed to help kids learn how to focus their minds in class. BrainCo also has a prosthetic arm coming to market later this year which detects muscle signals and feeds them through an algorithm that can help it operate better over time. What’s more, this device will cost less than half of an average prosthetic.
Foldable screens are still a work-in-progress
This year’s event was colored with folding screens. However, most of these devices were prototypes without proposed ship dates. A likely reason for the lack of confidence in these devices by their manufacturers is that they are unsure if the screens will be durable enough to sell. Some of these work-in-progress devices include Dell’s Concept Ori, Intel’s Horseshoe Bend, and Lenovo’s ThinkPad X1 Fold. Nevertheless, folding devices provide a new opportunity for manufacturers to play around with device forms, such as a phone that turns into a tablet.
Cybersecurity’s role in evolving technology
As consumer technology continues to evolve, the importance of securing these newfangled devices becomes more and more apparent. According to panelists from the CES session Top Security Trends in Smart Cities, by making products “smarter,” we are also making them more susceptible to hacking. For example, The McAfee Advanced Threat Research (ATR) team recently uncovered security flaws in multiple IoT smart home devices. The first is the Chamberlain MyQ Hub, a “universal” garage door automation platform that can be hacked to cause a user’s garage door to open unintentionally. The second is the McLear NFC Ring, a household access control device used to interact with NFC-enabled door locks, which can be cloned to gain access to a user’s home.
Keep cybersecurity a top priority
Although CES 2020 has introduced many new devices aimed at making users’ lives easier, it’s important to keep a secure home as a top priority as gadgets are brought into their lives. As new McAfee research has revealed, the majority of Americans today (63%) believe that they as the consumer are responsible for their security. This could likely be attributed to more Americans becoming aware of online risks, as 48% think it’s likely to happen to them. To feel confident bringing new technology into their homes, users are encouraged to proactively integrate online security into everyday life.
Need for increased cybersecurity protection
As the sun sets on another fabulous CES, it’s clear that technological innovations won’t be slowing down any time soon. With all of these new advancements and greater connectivity comes the need for increased protection when connected to the internet. All in all, CES 2020 showed us that as technology continues to improve and develop, security will play an ever-increasing role in protecting consumers online
Stay up to date
Whether it is an EPOS system at a fast food venue or large display system at a public transport hub, interactive kiosks are becoming popular and trusted conduits for transacting valuable data with customers.
The purpose of interactive kiosks, and the reason for their increasing prevalence, is to drive automation and make processes more efficient. For many businesses and government departments, they are the visible and tangible manifestations of their digital transformation.
Kiosks are information exchanges, delivering data and content; ingesting preferences, orders and payments. With so much data going back and forth, there is huge value, however, wherever there is value you’ll find malicious and criminal activities seeking to spoil, subvert or steal it.
Three categories of Cyber Threat
Kiosks are just the latest in a long line of data-driven objects that need protecting. At stake is the very heart (and public face) of digitally evolved organisations.
- Threats to system integrity – where kiosks are compromised to display something different. Losing control of what your kiosks look like undermines your brand and causes distress to customers. A recent example is of a well-known sportswear store in New Zealand, where a kiosk displayed pornography for 9 hours before employees arrived the next morning to disconnect it.
- Threats to system availability – where kiosks are compromised to display nothing. In other words, they go offline and, instead of displaying some kind of reassuring ‘out of order’ message, give the appearance of a desktop computer with frozen dialogue boxes or raw lines of code. Examples of this are all too common, but are typically characterised by ‘the blue screen of death’.
- Threats to system confidentiality – where kiosks show no outward signs of compromise, but are in fact collecting data illegally. Such attacks carry significant risk over and above creating nuisance or offence. Examples include one of the largest self-service food vending companies in the US suffering a stealthy attack whereby the payment card details and even biometric data gleaned from users at kiosks may have been jeopardised.
Regulatory reforms are all well and good, but technology (AI, machine learning, blockchain, etc.) is evolving rapidly and organisations must be as proactive about the cybersecurity challenge as possible or risk falling behind the digital innovation curve.
Becrypt work with the UK Government and the National Cyber Security Centre (NCSC), to develop solutions in line with core objectives sought by NIS and other regulations, for use in public sector environments. At the same time, we are seeing private sector businesses increasingly coming under the sorts of cyberattacks more commonly associated with the public sector.
Paradox: The Secure, Linux-based OS for Interactive Kiosks
Government research has determined that the best way to mitigate threats to interactive kiosks, and safeguard wider digital transformation objectives, is to secure the kiosk operating system (OS).
Becrypt have developed in collaboration with NCSC, Paradox, a secure Linux-based OS and management platform for kiosks. Paradox incorporates a secure-by-design architecture, ensuring kiosks remain in a known healthy state, free of malware. For organisations concerned about the potential for attack, this provides absolute certainty that every time a machine is switched on, its OS and all its applications have not been compromised.
Likewise, another common concern with kiosks is managing hundreds or even thousands of geographically dispersed devices without being able to check on or remediate system health. Should it detect anything unusual, Paradox will automatically rollback to the last known good state, presenting a functioning system rather than an offline/unavailable one. This avoids the onset of ‘bluescreen’ failures and allows administrators to visualise and manage kiosks in an easy and low-cost way. Automated security and patch management further ensures that devices are always kept up-to-date.
Paradox is also a very lightweight OS, which shrinks the potential attack surface and ensures the entire kiosk estate is not susceptible to common exploits. It also carries a number of advanced security controls that make it more difficult to attack, such as a sandboxed user account for privilege escalation prevention. OS components are also mounted as ‘read-only’, thereby preventing persistent, targeted attacks.
Spurred on by consumer demand for deeper interactions and easier, more personalised experiences, the exponential growth in interactive kiosks is plain to see in public spaces everywhere. And as this shift encourages more private and public sector organisations to do more with their data, the onus is on all of us to protect it.
From the Lifx Switch smart switch to the Charmin RollBot to Kohler Setra Alexa-connected faucets, CES 2020 has introduced new devices aimed at making consumers lives easier. With so much excitement and hype around these new gadgets, however, it can be challenging to make security a top priority. That’s why McAfee is urging users to keep cybersecurity top-of-mind when bringing these new devices into their home so they can protect what matters.
New McAfee research reveals that consumer perceptions of security accountability have shifted in the last couple of years. For example, the majority of Americans today (63%) stated that they as the consumer are responsible for their security while last year only 42% of Americans felt that they are responsible. This shows that users are becoming increasingly aware of how to ensure that they are protecting their privacy and identity. This year-over-year increase could likely be attributed to more Americans becoming aware of online risks, as 48% think it’s likely to happen to them. Additionally, 65% are concerned about the security of connected devices installed in their homes, such as the Chamberlain MyQ Hub garage door opener and the McLear Smart Ring. While these devices are convenient, the McAfee Advanced Threat Research team recently revealed they contained security flaws that could allow a hacker to enter a victim’s home.
It’s important to recognize that security is a proactive effort that should be seamlessly integrated into everyday life. So, how can consumers take charge and feel confident bringing new technology into their homes while staying safe? Check out the following tips to keep in mind as our lives continue to be more connected:
- The little things count. Hackers don’t have to be geniuses to steal your personal information. Minor habits like changing default passwords and using unique passwords can go a long way to prevent your personal information from being stolen.
- Do your research. Look up products and their manufacturers before making a purchase. This could save you from buying a device with a known security vulnerability. If you find a manufacturer doesn’t have a history of taking security seriously, then it’s best to avoid it.
- Use a comprehensive security solution. Use comprehensive security protection, like McAfee Total Protection, which can help protect devices against malware, phishing attacks, and other threats. It also includes McAfee WebAdvisor, which can help identify malicious websites.
- Update, update, update. When applications on your devices need updating, be sure to do it as soon as possible. Most of these updates include security patches to vulnerabilities.
McAfee commissioned 3Gem to conduct a survey of 1,000 adults in the US who regularly use electronic devices, such as phones and laptops.
The post Research Reveals Americans’ Perceptions of Device Security Amidst CES 2020 appeared first on McAfee Blogs.
The McAfee Advanced Threat Research (ATR) team recently uncovered a security flaw in a popular connected garage door opener and a security design issue in an NFC (meaning near field communication, which is a technology that allows devices to communicate with each other) smart ring used to unlock doors. As we head into CES 2020, the global stage where innovators showcase the next generation of consumer technologies, let’s take a look at these new security flaws and discover how users can connect securely and with confidence.
Review Chamberlain IoT device
The McAfee ATR team recently investigated the Chamberlain MyQ Hub, a “universal” garage door automation platform. The Hub acts as a new garage door opener, similar to the one that you would have in your car. However, the McAfee ATR team discovered an inherent flaw in the way the MyQ Hub communicates over radio frequency signals. It turns out that hackers can “jam” the radio frequency signals while the garage is being remotely closed. How? By jamming or blocking the code signal from ever making it to the Hub receiver, the remote sensor will never respond with the closed signal. This delivers an error message to the user, prompting them to attempt to close the door again through the app, which actually causes the garage door to open.
How can the Chamberlain IoT device be hacked?
Let’s break it down:
- Many users enjoy using the MyQ Hub for the convenience of package delivery, ensuring that their packages are safe from porch pirates and placed directly in the garage by the carrier=.
- However, an attacker could wait for a package delivery using the connected garage door opener. The hacker could then jam the MyQ signal once the carrier opens the door and prompt an error message for the user. If and when the user attempts to close the door, the door will open and grant the attacker access to the home.
- An attacker could also wait and see when a homeowner physically leaves the premises to jam the MyQ signal and prompt the error message. This would potentially allow further access into the home.
Review McLear NFC Ring IoT device
The McAfee ATR team also discovered an insecure design with the McLear NFC Ring, a household access control device that can be used to interact with NFC-enabled door locks. Once the NFC Ring has been paired with an NFC-enabled door lock, the user can access their house by simply placing the NFC Ring within the NFC range of the door lock instead of using a traditional house key. However, due to an insecure design, hackers could easily clone the ring and gain access to a user’s home.
How can the McLear NFC Ring be hacked?
- First, the attacker can do some basic research on the victim, such as finding a social media post about how excited they are to use their new McLear NFC Ring.
- Now, say the attacker locates the victim in a public setting and asks them to take a picture of them on the attacker’s phone. The attacker’s phone, equipped with an app to read NFC tags, can record the relevant information without giving any signs of foul play.
- The McLear NFC Ring is now compromised, and the information can be programmed on a standard writable card, which can be used to unlock smart home locks that partner with the product.
How to keep your IoT devices safe from hacking
In the era of IoT devices, the balance between cybersecurity and convenience is an important factor to get right. According to Steve Povolny, head of McAfee Advanced Threat Research, “the numerous benefits technology enhancements bring us are exciting and often highly valuable; but many people are unaware of the lengths hackers will go and the many ways new features can impact the security of a system.” To help safeguard your security while still enjoying the benefits of your connected devices, check out the following tips:
- Practice proper online security habits. Fortunately, users have many tools at their disposal, even when cybersecurity concerns do manifest. Implement a strong password policy, put IoT devices on their own, separate network, utilize dual-factor authentication when possible, minimize redundant systems, and patch quickly when issues are found.
- Do your research. Before purchasing a new IoT device, take the time to look into its security features. Users should ensure they are aware of the security risks associated with IoT products available on the market.
Stay up to date
The post What You Need to Know About the Latest IoT Device Flaws appeared first on McAfee Blogs.
- Cyber Attacks are the Norm
- Only Focused on Patching? You’re Not Doing Vulnerability Management
- 12 days of Christmas Security Predictions: What lies ahead in 2020
- How the Cyber Grinch Stole Christmas: Managing Retailer Supply Chain Cyber Risk
- Plundervolt! A new Intel Processor 'undervolting' Vulnerability
- MoJ Reports Over 400% Increase in Lost Laptops in Three Years
- Accelerated Digital Innovation to impact the Cybersecurity Threat Landscape in 2020
- Cyber Security Roundup for November 2019
- Three Consequences of a Misaddressed Email
- New Year Honours List 1,000 Recipients Addresses Published Online in Error
- UK’s Cyber Security Chief Ciaran Martin to step down from NCSC
- Hijacked Bank of England Audio Feed Sold to Hedge Funds Seconds Ahead of Broadcast
- Santa Hacker Speaks to Girl via Smart Camera
- 1.6 billion LightInTheBox Customer Records left Exposed
- Spanish Security Company Prosegur hit with Ryuk
- Open Dark Web Database Exposes Info on 267 Million Facebook Users
- Open Database Exposes 26,000 Honda Motors Customers
- Iran 'foils second Cyber-Attack in a week'
- Briton extradited over claims he was key member of hacker group 'Dark Overlord'
- MicrosoftPatches 35 Vulnerabilities, including 6 Critical for Visual Studio, Win32k and Hyper-V
- Microsoft issues an Advisory for a SharePoint Vulnerability
- Adobe Patches 25 Vulnerabilities, 21 in Acrobat products
- Intel Patches 15 Vulnerabilities affecting Software and Firmware
- WordPress Patches Four Security Vulnerabilities
- Mozilla Patches 11 Vulnerabilities in Firefox 71 and ESR 68.3
- Citrix Vulnerability places80,000 Companies at Risk
- The Top 20 Vulnerabilities to Patch before 2020
- 2020 Cybersecurity Forecasts: 5 Trends and Predictions for the New Year
- Visa Warns against new POS attacks, Fin8 fingered as the Culprit
- Momentum Botnet Spotted in the Wild
- Chinese State 'likely' linked to Cyber Spies Targeting Human Rights Workers
- Biggest Malware Threats of 2019
- China-Based Cyber Espionage Group Targeting Orgs in 10 Countries
- Microsoft Reveals Phishing Tactic Evolution
- Microsoft Security Intelligence Report
- PreciseSecurity.com Research: XSS Nearly 40% of All Attacks
5G and IoT
Death of the Password
More Power to Data Protection Regulations