alt tag

Posts Tagged ‘IoT’


Massive IoT DDoS Attack Causes Widespread Internet Outages. Are Your Devices Secured?

Tuesday, November 1st, 2016

finger-769300_640

As you probably know already, the United States experienced its largest Internet blackout in history on October 21, 2016, when Dyn—a service that handles website domain name routing—got hit with a massive distributed denial of service (DDoS) attack from compromised Internet of Things (IoT) devices. The day will be known forevermore as the day your home IP camera kept you from watching Netflix.

The writing has been on the wall for a while now when it comes to IoT security: We’ve previously discussed how IoT devices can be used to watch consumers and break into business networks.

This specific outage is an example of how the tech industry is ignoring security mistakes of the past and failing to take a proactive approach in protecting IoT networks.

The Outage

The October outage included three separate attacks on the Dyn DNS provider, making it impossible for users in the eastern half of the U.S. to access sites including Twitter, Spotify, and Wired. This attack was different from typical DDoS attacks, which utilize malware-compromised computers to overwhelm servers with requests to knock them offline. Instead, it used malware call Mirai that took advantage of IoT devices. These compromised devices then continually requested information from the Dyn servers en masse until the server ran out of power to answer all requests, thus bringing down each site in turn.

This outage did not take down the servers hosting the platforms, but rather the metaphorical doorway necessary to access those sites.

Ongoing Security Concerns

According to ZDNet, the IoT industry is, at the moment, more concerned with putting devices on the market to beat competition than it is with making devices secure. IoT devices are notably easy to hack because of poor port management and weak password protection. IoT devices are also known for not encrypting communication data. October’s attack wasn’t even the first of its kind: A 145,000-device IoT botnet was behind a hospital DDoS attack just one month prior.

What You Can Do

MacWorld recommends changing the default security configuration settings on all IoT devices and running those devices on a secondary network. The Mirai malware works simply by blasting through default username and password credentials—so users could have protected themselves by swapping the default “admin/admin” and “password/password” settings. There are also IoT security hub devices available to compensate for IoT security shortcomings.

IoT devices can offer fantastic perks for your office, but the security concerns are too important to ignore. If you’re interested in improving network security pertaining to IoT devices or looking for advice on which IoT devices would benefit your workplace, don’t hesitate to contact MPA Networks today.

IoT Devices to Make Your Office More Efficient

Wednesday, September 21st, 2016

gdp-1398748_640

IoT devices have incredible potential to make your office more efficient. Previously we’ve discussed the caveats IoT devices bring to the workplace a few times, but today we’re going to focus on how these devices can increase productivity.

It’s easy to fall back on the old mentality “If it ain’t broke, don’t fix it”—but many smart devices can streamline processes and save money in the long run.

Smart Fridge

At first glance it might seem overloaded with bells and whistles, but the staff at Forbes insists the smart fridge is a great idea. The primary function of the smart fridge is the ability to replace food when it’s running low directly from the device itself. Reporting when something is low and streamlining the replacement process can cut down on time spent on fridge inventory and the waste of infrequently used products.

The biggest advantage, though comes from the smart fridge’s energy savings potential. Simply put, it’s more efficient than that old clunker sitting in your break room.

Smart Thermostat

Smart thermostats make it easier to control the office temperature and cut down on climate control expenses. Quartz recommends the devices for office settings on a diplomatic level as well: They can be used to crowd source the temperature setting during the work day. A famous study by the Campbell Soup Company found that thermostat temperatures have a correlative effect on employee productivity.

Smart Locks

Smart locks are one of those devices that add features you never want to have to use, but will be happy to have if the need arises. These devices connect to the office’s Wi-Fi network and can be used with smartphones for mobile access. Primarily, smart locks can be combined with electronic pins that are opened with a smartphone app instead of a physical key or 4-digit combo for tighter security.

In a pinch, you can use the application to unlock the door to let people in the office without actually being there. This can be helpful in situations where the “keyholder” is running late or off sick, or you need to allow weekend maintenance staff in remotely.

Smart Cameras

Smart cameras are a straightforward upgrade to your office’s existing security system (assuming you already have one). They’re relatively inexpensive, starting around $100 each, and offer fantastic protection against intruders. Some smart cameras can be programmed to recognize employees’ faces and alert you if someone unrecognized enters the office. You can also use the cameras to remotely check in on the office while away.

If you’re looking to make your office run “smarter,” contact the experts at MPA Networks to explore all the exciting possibilities of IoT devices. We’ll help you secure the devices on isolated secondary networks to keep your business protected now and in the future. That way, your staff can enjoy all the perks of IoT without worrying about the vulnerabilities.

Don’t Forget About Printer Security

Tuesday, August 9th, 2016

icon-287144_640

There was a time when printers—in your office or home—were considered relatively “simple” office equipment: plug it in, connect it to the local network, and keep the ink fresh, and there wasn’t much else to worry about.

But times have changed.

Today’s business printers—enterprise-level equipment or smaller, multi-function printer/scanner/copiers—include as much document storage capabilities and sophisticated processing power as any other point on the network, another example of the ever-expanding Internet of Things. But while PCs and laptops are almost constantly under the watchful eye of their individual users, networked printers generally sit by themselves for long stretches of time when there are no “jobs” to print.

For many companies, unsecured printers become the weakest link in their network security chain—and a prime point of entry for hackers.

Malicious Mischief, or Worse

Case in point: This past March, a notorious Internet “troll” targeted over a dozen prominent universities around the U.S., hijacking multiple networked printers to print racist material. Colleges were considered an inviting target because printers are often purchased directly by academic departments with little oversight by campus IT management.

Since around 2000, most business-class imaging products have included their own hard drives—capable of storing every document ever printed or copied. A 2010 investigative report by CBS News revealed that “high mileage” used photocopiers—typically available for a few hundred dollars on the resale market—contained un-encrypted hard drives with a slew of easily retrievable data—account numbers on copied checks, pay stubs with personal info, and other valued commodities for any identity thief.

Practicing Printer Hygiene

We’ve noticed many new customers who’ve neglected security on their office printers. Here are a few important areas to keep in mind:

  • Management. Appoint a single person as your printer “administrator”—understanding its functions, instructing others how to operate it, basic maintenance (beyond paper jams or toner changes), and enforcing security policy. Check for stray documents left in the input or output trays at the end of the workday.
  • Protection. Make sure your printers are included in your network firewalls and other security measures.
  • Updates. Unlike computers, manufacturers’ firmware updates are rarely downloaded automatically. Check often for the latest online security patches.
  • Authentication. Require users to be present at the printer during every print job, requiring individual passwords, smart badges, or fingerprint scans.
  • Encryption. Encode both network traffic and documents stored on the printer’s hard drive.
  • Data Scrubbing. As we’ve recommended for computers, make sure a printer’s internal memory is completely wiped clean at the end of its use life.

For more ideas on safeguarding your printers along with the rest of your network, talk with us.

The “Seven Deadly Sins” of Ransomware

Wednesday, June 29th, 2016

 

seven-1181077_640

Readers of our blog over the past few years know we were among the first in the Bay Area to warn our customers about the growing threats of ransomware—from the emergence of CryptoLocker and CryptoWall to our federal government’s startling admission that they’re virtually powerless to stop it.

Mostly originating from sophisticated cyber-gangs in Eastern Europe, ransomware may be the most profitable organized crime scheme in the world today.

We weren’t exactly surprised, then, when we received 2016 Will Be the Year Ransomware Holds America Hostage,” a 40-page report from The Institute for Critical Infrastructure Technology (ICIT), a non-profit cybersecurity think tank.

The ICIT report is a comprehensive review of the ransomware landscape—from its earliest origins to the major active strains “in the wild” to the likeliest targets (particularly American small businesses). Today we’d like to highlight the seven delivery channels of ransomware and other malware infections—what we refer to as “The Seven Deadly Sins.”

1. Traffic Distribution Systems (TDS)

If you visit a website and suddenly see an annoying pop-up ad, it’s because the website sold your “click” to a TDS vendor, who contracted with a third-party advertiser. Pop-up blockers have rendered most pop-up ads obsolete, but some of the shadiest TDS vendors contract directly with ransomware groups to spread exploit kits and “drive-by downloads.”

2. Malvertising

As we discussed last July, even trusted web pages can include third party ads embedded with malware-inducing code. One click on a bogus ad can wreak havoc.

3. Phishing Emails

From phony bills and résumés to bogus “unsubscribe” links in annoying spam, email recipients can be tricked into clicking a link allowing an instant viral download of ransomware. Research reveals that despite strong security training, up to 15% of employees still get duped by phishing schemes.

4. Gradual Downloaders

Exploit kits and ransomware can be discreetly downloaded in “segments” over time, evading detection by most anti-virus defenses.

5. Social Engineering

Also known as simple “human ignorance,” a user can be tricked into downloading a phony software update or other trusted download link—even ignoring warning messages (as happened to a friend of ours) only to allow a costly malware infection.

6. Self-Propagation

Once inside a single computer, the most sophisticated ransomware strains can automatically replicate through an entire network via the victim’s address book. ICIT expects that self-replicating ransomware will evolve to infect multiple devices within the Internet of Things.

7. Ransomware as a Service (RaaS)

ICIT predicts that the largest ransomware creators will syndicate “retail versions” of their products to less sophisticated criminals and lower-level hackers who’ll perform the day-to-day grunt work of hunting down new victims around the world. The creator collects a percentage of every successful ransom payment.

In the coming weeks, we’ll continue to examine ransomware and other cyberthreats our customers need to defend against. For more on how to protect your company, contact us.

Welcome to the IoT: Will Your TV Be Watching YOU?

Thursday, March 12th, 2015

screen-310714_640

We’ve talked recently about the potential dangers of the rapidly expanding Internet of Things, or IoT. As we discussed, the IoT consists of embedded sensors collecting data from dozens of devices in your daily life—your car, your health and fitness equipment, and even your home thermostat. All that tabulated data is intended to help you, whether it reminds you that your car needs a tune-up, that you’re slacking off on those cardio workouts, or that the heat can shut off because you’re not at home. But just as when the Internet first exploded upon us in the mid-1990s, IoT technology may be growing faster than our ability to regulate it and protect our privacy—from hackers, corporations, and even the government.

Smart Devices: Getting Too Smart?

Consider this recent Salon.com article. The author was excited about buying a state-of-the-art “smart” TV—until he read all 46 pages of the manufacturer’s Privacy Policy.

Think for a moment about the last time you needed to check an “I Agree” box before installing software, downloading music, or applying for a job online. Did you actually read the binding legal contract you were virtually signing? Like most people, you probably skipped that “fine print,” whether it was three pages or 30. “It’s got to be fair,” you assured yourself, “or they couldn’t get away with it.” And you clicked through.

In the case of that smart TV, they actually try to get away with quite a lot. Soon after plugging in that new TV, the user is asked to give their consent to:

  • Set cookies and beacons marking the content you watch and the E-mail you read.

  • Track the apps you use, the websites you visit, and your online interactions with both.

  • Record facial recognition via a built-in camera.

  • A voice recognition feature which may “transmit your spoken words to a third party.”

But what about opt-outs and do-not-track requests, you ask? The TV’s Privacy Policy specifically excludes them. You’re not just watching TV anymore—it’s watching you, too.

New Targets for Hackers … or “Big Brother”?

Are we sounding a little too much like George Orwell here? Maybe. But in this relatively early stage of the IoT, who’s to say your networked household devices won’t be hacked to let a burglar know when you won’t be home? Or after the uproar the federal government created by eavesdropping on millions of cell phone calls via the 2001 Patriot Act, could they someday get permission to monitor citizens via the data collected by their household devices—including their living room TV?

Before you consider upgrading to a smart TV, we recommend you isolate it—along with other IoT devices—from your home or office network via a dual-firewall or “DMZ” configuration. And block that camera the same “low-tech” way many laptop users already do—with a simple piece of black electrical tape over the lens.

For advice and support on protecting your privacy when it comes to IoT devices, contact us at www.mpa.com