Author: Dr. Philip Cao

I have been looking into the privacy risks of the Internet of Things (IoT) for the past few years. I initially became interested through my work with National Institute of Standards and Technology (NIST) while researching the privacy risks of the smart grid and leading the group responsible for NISTIR 7628 Volume 2, and then a new version two years later in NISTIR 7628 Volume 2 Revision 1. Looking into smart meters led to my personal research of looking into smart appliances and then wearables.

For the past year, I have been working with a large medical devices group (and spoke at its conference) to identify the information security and privacy risks that are created by new and emerging medical devices, many of which are “smart” devices, generally meaning they are also part of the IoT. Smart medical devices can bring significant benefits to the associated patients, such as automatically applying medication based upon health readings, or sending alerts to a physician or hospital in the event of a medical emergency. However, they also create privacy risks when inappropriate entities get access to the data and use it for malicious actions. For instance, health insurance companies that use the medical device data as a basis to increase insurance premiums or cancel health insurance coverage; or those with ill intent accessing the medical device to do physical harm to the associated individual.

I also gave a keynote at an international conference in Bogotá, Colombia, about IoT and associated risks. And, I will be speaking on this topic again at a conference in Melbourne, Australia, in October. Privacy and information security of IoT truly is a hot topic around the world. And it is with good reason. Here is just one real-life example of how weak controls within smart devices were exploited and resulted in privacy and/or information security harm:

• TRENDnet told customers that its web-enabled wireless home security and baby monitoring cameras were secure. However, starting in January 2012 a hacker exploited the lack of security controls in the devices and sent livestream images to multiple Internet sites showing the images and sounds of people and their activities from the rooms where they were used. TRENDnet agreed to a sanction consisting of a 20-year consent decree to implement a comprehensive security and privacy program, and be subject to ongoing audits from the Federal Trade Commission (FTC).

A recent 2014 HP Security Research study determined 70% of these smart IoT connected devices are vulnerable to attack. Why? Three common culprits include: 1) insecure Web interfaces, 2) insufficient software protections and 3) lack of encryption.

Resulting high-level risks (as described within NIST’s draft Privacy Engineering Workshop papers) from these vulnerable IoT devices include:

• Personal information may be used in ways that exceed the associated individual’s expectation or authorization.
• The use or dissemination of inaccurate or misleadingly incomplete personal information can lead to breaches or inappropriate actions.
• Loss of autonomy of the associated individuals through induced disclosure of data from the devices
• Loss of trust, as well as exposing individuals to economic loss, and stigmatization
• Tracking or monitoring of personal information that is disproportionate to the purpose of the device
• Exposure of the associated individual in unexpected way, stigmatization, power imbalance and loss of trust and autonomy
• Denial of access to the device leading to exclusion, economic loss, loss of trust, or physical harm
• Inappropriate access leading to changes in device settings, changes to the device data, or misuse of the data, leading to physical harm to the associated individual

While doing research and visiting with others to discuss IoT issues, I have had interesting conversations with many bright and insightful folks. Here are some important recurring points made during these experiences, with which most agree:

• Current information security and privacy controls are not sufficient for most IoT devices.
• IoT devices typically collect, share and process data automatically, more often with no human intervention. This makes it essential for the engineers creating the devices to have a good understanding of the related information security and privacy risks, and how to build the devices to appropriately mitigate the risks.
• We cannot wait for laws or regulations to be created to govern the privacy and security of IoT devices. We must be proactive and establish such controls now, based on our own expertise and cooperative research. This will ensure that the billions of devices that will soon be put into use will not create a security and privacy disaster.

I am encouraged by NIST’s initiative to create privacy engineering standards, and ISACA’s support and participation in that initiative. The goal is to provide privacy engineers with standards to use to build controls into IoT devices—hopefully in the not so distant future. I believe ISACA will play a key role in getting those standards created and communicated and will provide guidance on how to use them for ISACA members worldwide.

If you would like to learn more, please view the video of the April NIST Privacy Engineering Workshop session where I represented ISACA: http://cdnapi.kaltura.com/index.php/extwidget/openGraph/wid/0_eac0g2ra.

Rebecca Herold, CISA, CISM, CISSP, CIPP, FLMI
Owner & CEO, Rebecca Herold & Associates

[Source: ISACA]

Security researchers hack Canon printer firmware to run the classic 90s video game Doom as well as to wreak havoc with other manipulations.

Security researchers are telling a story of Internet of Things (IoT) Doom, but it might not be exactly the doom you expect: Last week at 44Con in London, a researcher showed off a hack of a vulnerability in a Canon Pixma printer that made it possible to remotely modify the printer’s firmware so that its LED indicator screen could run the classic first-person-shooter game, Doom.

The presentation wasn’t all fun and games: The proof-of-concept attack showed how possible it would be to easily update the printer with a Trojan for spying on printed documents or other malicious software to establish a foothold into a network.

According to Mike Jordon, head of research at UK-based Context, who presented the hack, the web-enabled interface that these printers use to show information about the printer’s ink levels and settings has no user authentication to control who can connect to it.

“At first glance the functionality seems to be relatively benign, you could print out hundreds of test pages and use up all the ink and paper, so what?” writes Jordan. “The issue is with the firmware update process.  While you can trigger a firmware update you can also change the web proxy settings and the DNS server. If you can change these then you can redirect where the printer goes to check for a new firmware.”

Canon has no protection to prevent bad actors from manipulating the firmware update process for malicious ends. There is no signing, and at best there is weak encryption protecting the firmware file. The encryption utilizes repeating patterns, which made it easy enough for Jordon and his team to break in order to carry out their attack.

The Context team used Shodan to sample about 9,000 of the 32,000 IP addresses that the scanner indicated could have a vulnerable printer. Among those addresses that responded, about 6 percent had a vulnerable firmware version, leading Jordon to estimate about 2,000 vulnerable models are likely directly connected to the Internet. The lack of authentication makes it possible to attack, not only those printers directly connected to the Internet, but even those not directly accessible, such as ones behind NAT on a home network or on an office intranet. His team was able to do so by scanning local networks using JavaScript port scanning through cross-site request forgery attacks that modified printer configurations.

“Although the printer is not actually on the Internet, this is possible because the malicious web page initiates requests from the user’s browser which is on the same network as the printer,” says Jordon.

According to Canon, it is currently working on a fix for the problem, and it says all future Pixma products will have authentication for their interfaces. While Jordon and his colleagues at Context say they aren’t aware of anyone in the wild using this type of attack, they hope to build awareness so that security can be built into these devices before the bad guys start to take advantage.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.

[Source: DarkReading]

Apple Pay is a strategic move that will rival PayPal and other contenders in the mobile wallet marketplace. The big question is whether consumers and businesses are ready to ditch the plastic.

Apple Pay enables a safe and secure transaction between Apple devices and a retailer’s contactless payment reader or online storefront. The consumer avoids the tedious step of swiping or entering credit card numbers or passwords since it’s already stored in Passbook, an application first introduced in iOS 6.

What’s important is how Apple Pay transforms traditional theft-prone credit cards into a unique Device Account Number stored securely on a special chip in the device. It then pairs that number with transaction-specific dynamic security codes. This ensures that intercepted transactions cannot be used to conduct fraud, because each security code is only good for the one transaction. This is the most obvious benefit, similar to the protections in place with EMV: to prevent the chips from being copied.

Another less obvious security benefit Apple Pay has over EMV is that sensitive card data is never handled by the merchant. As demonstrated in my recent Black Hat USA presentation, EMV passes plain-text card data to point-of-sale systems, which can later be stolen by RAM scrapers and used to commit fraud. With Apple Pay, the physical phone becomes the sole point for potential exploitation. Hopefully, Apple has implemented significant and sophisticated measures into protecting card data stored in the iPhones’ Passbook from theft or unauthorized use. Regardless, removing sensitive payment data from the merchants’ hands is a necessary step to solve the increased breach epidemic retailers have been facing.

What’s especially bold is Apple’s move to bypass the payment processors that have been used for decades. POS and online ordering systems integrated to support Apple Pay can send the Device Account Number and the dynamic transaction security code directly to the card issuer for approval. In essence, Apple is creating its own secure payment network to facilitate its proprietary payment technology.

Long history of failure
Unfortunately, adoption will be a significant challenge. If you look at past attempts to change consumer payment behavior, there’s a long list of failures. For example, contactless payments were rolled out on a limited basis by inserting a rice-sized RFID chip in credit cards a purchaser waves in front of the terminal instead of swiping the magnetic stripe. Adoption in the United States was abysmal. More recently, mobile wallet offerings such as Visa payWave used NFC for contactless payments in stores, but gained little traction beyond pilot implementations.

Apple Pay is a strategic move to expand further into the major mobile wallet marketplace to rival PayPal and other contenders. The big question is whether Apple can succeed in convincing consumers and businesses to ditch the plastic. They both need compelling benefits to justify the behavioral changes. For example, Starbucks successfully leveraged its mobile application with payment capabilities to enhance the customer experience and drive its loyalty program.

One way Apple could incentivize adoption is by providing loyalty points for purchases made using Apple Pay, redeemable in the form of Apple Store purchases. Consumers would get rewarded for making the switch while driving increased traffic to the Apple stores. This in turn would generate demand for merchants to support Apple Pay. Finally, by eliminating the payment processors from the transaction flow, retailers would reap greater benefits with lower processing fees and increased cost savings that yield higher profits.

If successful, Apple Pay would cement Apple’s dominance across the user experience and extend its domain to mobile payments where the biggest potential is in the rapid adoption of m-commerce, defined as shopping online from handheld devices. Forrester Research projects m-commerce in the United States to top $293 billion by 2018.

Lucas Zaichkowsky is the Enterprise Defense Architect at AccessData, responsible for providing expert guidance on the topic of cyber security. Prior to joining AccessData, Lucas was a technical engineer at Mandiant where he worked with Fortune 500 organizations, the Defense industrial base, and government institutions to deploy measures designed to defend against the world’s most sophisticated attack groups.

[Source: DarkReading]

Data generation is global, so why do different parts of the world react differently to the same threat of security breaches and backdoors?

Snowden’s revelations and the backlash that followed also illustrate the dramatic international differences in privacy vs. security values. Working with customers in both the US and in Europe, I’ve seen firsthand how those differences impact how security systems are architected. Beginning with “what is the data being protected?” vs. “how do we keep the bad guys out?” will lead to two very different security solutions.

While Europe has some of the strictest data privacy protection rules worldwide, the US security design principle primarily seeks to protect and prevent attacks toward the system. In Europe, strict rules enforce how companies can and should disclose and store personal information. From a national level, governments are pushing for even stronger regulations, coming together within the European Union to sign a common statute that outlines privacy practices around the disclosure and storage of personal information along with remedies for violations and independent government agencies that provide oversight. Additionally, corporations commonly add an additional privacy layer by establishing employee councils with the purpose of safeguarding employee information.

By comparison, US companies are more autonomous in their ability to deal with the disclosure and storage of personal information. In comparison to Europe, the US government does little to limit companies from tracking people across the web and selling their information to third-parties. Additionally, US companies can decide at their own discretion how much information they wish to reveal about their data practices. As it would seem, US companies seek primarily to secure sensitive information with the intent to protect and prevent attacks toward the system, without as much regard for the privacy of their customers and employees.

It’s all about culture and history
Data generation is global, so why do different parts of the world react differently to the same threat of security breaches and backdoors? Part of the reason is the distinctly different cultural-political heritage between the US and Europe. While European culture is more conservative and risk-adverse, the US is more risk-taking and innovative. Some US technology experts claim that stricter privacy regulations would stifle innovation. As an individualistic society, the US has mostly left it up to companies to decide how people’s online data should be handled. By contrast, Europe’s policies highlight the significance of privacy being safeguarded by the government.

Historical differences in the US and Europe can help explain the subtle aspects of their different trust cultures. European countries, specifically Germany after WWII, became sensitive to secret services spying on their citizens. As a result, very strict privacy rules have been implemented and governments and larger organizations must adhere to these standards when handling any personal data. Whether it is a national census or new electronic ID cards, Telecom data retention or email marketing databases, in general Europeans have had strongly held beliefs about individual privacy rights for a much longer time period than in the US where government spying has only recently become a public concern.

The controversy around data privacy extends beyond individual companies and also focuses on how much access the government should have to people’s private information. The NSA documents that Snowden leaked to the press revealed how US intelligence agencies routinely demanded access to US companies’ troves of consumer data.

For example, Microsoft recently lost a ruling against a US court to turn over a customer’s data stored in a European data center because the data was judged within reach of US search warrants. This case shows that the US government believes that it has the right to access US companies’ information, even if that information is stored overseas. What’s at stake here is the privacy protection of individual data and this ruling is the perfect manifestation of how European and US privacy laws have come to clash. The outcome of this and subsequent rulings will have a significant impact on US cloud service providers doing business internationally.

Schengen Cloud
German Chancellor Angela Merkel is at the forefront of the European Union which is seeking to fight back against what the EU considers the overarching reach of US intelligence agencies. Some European countries are trying to move forward with a data protection policy dubbed the “Schengen Cloud,” a Europe-only integrated electronic communication network. The idea behind Schengen Cloud is to give European countries control over its own networks without the US being a middleman. However, the US has come out stronglyagainst the proposal, saying that it provides an advantage to European-based information and communications technology (ICT) providers.

Data privacy differences between the US and Europe have already impacted business and political relations. Germany recently announced that it will not renew its contract with Verizon over fear that the company could turn over its communications to US intelligence agencies. The German government is now requiring telecom providers to sign contracts that confirm that they are not legally obligated to share information with foreign governments. In the face of such developments US companies run the risk of losing out on business deals if other governments follow suit and adapt to the German government’s stance on data privacy. In fact, the Information Technology & Innovation Foundation (IFTF) released a study in 2013 that estimated that the US cloud computing industry could lose up to $35 billion over the next three years as a result of the NSA spying revelations.Some US companies may even consider relocating their headquarters outside of the US to protect their data and their business contracts.

As more devices become Internet-enabled and the amount of data generated continues to skyrocket, organizations in the business of data protection will need to take a stance on privacy vs. security — no matter what side of the geographical border they are on.

Malte Pollmann successfully spearheaded Utimaco’s buy-out from the Sophos Group in September 2013. Prior to Utimaco’s independence, he served as VP of Business Development and General Manager of the company’s two business units: Hardware Security Module (HSM) and Lawful Interception and Monitoring Solutions (LIMS). Previously, he was product director and business unit leader at Lycos Europe NV (a Bertelsmann company) based in Germany and Paris. He was responsible for managing European product and marketing efforts and had a key role in driving the post-merger integration of French companies Multimania and Caramail SA. With a Master’s degree in physics from the Universities of Paderborn and Kaiserslautern in Germany, Pollmann also received a general management education at INSEAD in Fountainbleau, France. In parallel to his work at Utimaco, he also serves on the supervisory board of the International School of IT-Security, isits AG, Bochum.

[Source: DarkReading]

I spent 25 years in the Washington, DC area, and during that time I became a National Public Radio junkie. I guess I still am. I recently listened to a report on a comprehensive study about how people in the workplace react to the news about a coworker that’s been diagnosed with breast cancer.^[i] The results of the study shocked me. The worse the diagnoses and the closer employees physically worked to the diagnosed coworker, the less likely those working in close proximity were to seek cancer screening.

Similarly, as the conversation about the complexities, costs, and potential breaches is elevated to senior management, all too frequently, the more senior management learns, the less they want to know. I liken this to the person who frets over potentially getting cancer, while simultaneously avoiding cancer screening because they don’t want to hear bad news. Debates on screening methods aside, most would agree that this is a very dangerous approach regarding personal health. Taking “the less we know the better” approach when it comes to an organization’s information security health has broader implications on stakeholders and customers. Suffice it to say, this goes beyond a personal choice: It’s an inherent organizational responsibility.

There is a tendency to wait until something really bad happens before action is taken. Leadership wants to know the magic answer to questions like: When will be we secure? How many people and how much does it cost to secure the enterprise? There’s a perception that information security professionals are dodging these questions, and this perception can negatively impact an organization’s willingness to invest and take information security seriously. When senior leadership hears that providing a guarantee that the organization is secure isn’t possible, there’s a tendency to take chances and adopt the following mindset: What’s the point? We don’t want to bother screening to determine the health of our information security posture. If you can’t guarantee that we don’t have a problem, we don’t want to know. When it comes to personal health, if studies show a tendency to take an aversion to receiving bad news, why would it be any different for an organization to do the same?

Unfortunately, the geographical scope of cybersecurity attackers and their adversaries is expanding rapidly. Consequently, statistics show that the “hope nothing happens approach” is more and more likely to backfire. Organizations need a comprehensive approach that views information security programmatically. I frequently speak with (ISC)² members to elicit constructive feedback on how we can improve our products and services. Peppered into this feedback is a common theme that their respective organizations often do not take information security serious. They’ve hired a few security professionals, acquired some monitoring tools with limited staff available to review logs and take corrective action, etc.  It’s a common theme amongst our global membership. They struggle with a fairly pervasive management view that information security is a “once and done” endeavor, when in reality, it requires a systemic approach with sustained commitment (which comes in many forms). However, fundamentally it’s a sustained financial commitment and behavioral change within the organization. The information security professional deals with the inherent perception that security limits the business as opposed to enabling it.  This perception looms large in organizations that haven’t been or are unaware that they’ve been compromised. Just ask retailers and other industries whose security breaches have been widely covered in the media if they see security as an enabler or a roadblock to business operations. Granted, having an information security program does not guarantee that the enterprise will be secure: But not having an information security program can clearly lead to impacts that can threaten the viability of the organization.  Suffice it to say, information security breaches can end careers and ruin businesses.

Allstate Insurance has effectively weaved the concept that mayhem is all around us into their advertising campaigns. Creatively, they’ve also included some humor by having the guy that represents mayhem doing crazy things that put property owners at risk. Allstate hit a nerve with customers by creating a sense of urgency with fear (i.e., the term mayhem gets attention), and they add some levity with a consistent character making poor and/or careless decisions. It’s effective marketing in my opinion.

The information security profession has a similar challenge to effectively raise awareness about the enterprise being surrounded by cybersecurity mayhem. We often use the “we’re only as strong as our weakest link in the chain” mantra to explain information security. Today, the links in our enterprise chain involve people, devices, systems, networks, and access points to information assets. Unbeknownst to many organizations, external entities that wish them and their customers harm know the weakest links in their chain better than they do. When mayhem does strike, hopefully those being attacked will be “in good hands” in the form of qualified employees who are adequately resourced and trained.

Inspiring a safe and secure cyber world takes on many forms. From educating our children to educating senior management in our respective organizations about the value proposition of an information security program, our message needs to resonate with a broad and diverse audience. It’s going to take time to change the perception that information security means rules and policies that hinder business to information security being a business enabler. With the types of attacks we’ve seen recently, making the case that information security is fundamental to staying in business should no longer be a stretch.  However, we also need to be cognizant that people make up an organization and the collective individual psyche doesn’t typically respond well to bad news. That’s a barrier through which we all need to work.

Organizational denial that bad things are not happening 24/7/365 in the world of information security is not a wise business plan. Finding ways to present the value proposition of information security that resonate with leadership is critical. Moving the organization from a “we don’t want to know” to a “we need to know” mentality is essential in today’s cybersecurity threat landscape. Toward this end, we all need be persistent and stay the course. Hope is not a plan when it comes to information security.

[Source: (ISC)² Blog]