Category Archives: Technology

How Hackable Are Our Apartments?


The Internet of Things is poised to revolutionize apartment home systems and appliances, but it also increases the security and privacy threats to apartment firms. At the 2017 NMHC OPTECH Conference & Exposition, a panel of leading security experts shared best practices for ensuring that apartment firms are mindful of the new threats as they integrate smart home devices into their communities.

The panel’s moderator, Mike Smith, vice president at White Space Building Technology Advisors, advised that as apartment firms add IoT devices to their communities, they need to look for products that are specifically designed for multifamily, noting, “if you buy a product at Home Depot, it is probably not designed for the complex nature of multifamily security needs.”

Panelist Michael Reese, Chief Information Officer for USA Properties Fund, agreed, saying that he views “IoT as Internet of Threats, not Internet of Things,” and recommended this view as apartment firms evaluate smart home technology. Kevin Gerber, project manager at Forest City Enterprises, noted that it is critical to educate staff on the new technologies and maintaining strong security protocols, and highlighted the need for a strong support structure.

Panelists agreed in the importance of segregating networks as a critical step in good cyber hygiene. Yousef Abdelilah, innovation and product management leader at American Tower, stressed the importance of implementing different layers of security to protect systems. Hackers don’t want to spend a significant amount of time trying to hack a system and will move on to systems that have fewer layers and are, therefore, easier to access.

Bill Fisher, security engineer at the National Cybersecurity Center of Excellence, part of the National Institute of Standards and Technology (NIST), commented that “IoT threat mitigation is not that different from past cyber DSC_2153threats. Best practices for strong cyber hygiene aren’t new. Right now, the onus is on the end-user to ask right questions and educate him or herself until market correction forces vendors pushes vendors to address security.” NIST provides best practices and a customizable approach to managing cyber risk through the NIST Cybersecurity Framework.

Panelists recommended evaluating the ROI on current IoT technology. Fisher commented that installing IoT is a risk decision. Firms need to weigh the convenience of devices versus the risk of security and legal ramifications if a system is hacked.

Reese reminded the audience that ensuring strong information security policy is a senior executive issue, not simply an IT issue, that needs to be implemented throughout the company

NMHC provides a resources on cybersecurity, including a cybersecurity white paper and a cyber threat alert system. More information can be found at nmhc.org/data-security.

Hackable Apartments: How to Keep Our Communities Safe When Everything is Going Online

Honored to be speaking at 2017 NMHC OPTECH Conference & Exposition in Las Vegas October 25-27, 2017 Mandalay Bay Resort and Casino.

 

 

Hackable Apartments: How to Keep Our Communities Safe When Everything is Going Online
With the Internet of Things poised to revolutionize our systems and appliances just as the internet did with our information, the question remains—can we keep these devices safe? Today’s “smart” home demands a modern take on security and privacy as well as possible integrations with property management systems or even new voice activated consumer technology. Online security experts will assess the risk of the internet-enabled apartment and will present best practices to keep your residents and your enterprise safe from hackers.

 

What You Should Know About the ‘KRACK’ WiFi Security Weakness

 

Researchers this week published information about a newfound, serious weakness in WPA2 — the security standard that protects all modern Wi-Fi networks. What follows is a short rundown on what exactly is at stake here, who’s most at-risk from this vulnerability, and what organizations and individuals can do about it.

Short for Wi-Fi Protected Access II, WPA2 is the security protocol used by most wireless networks today. Researchers have discovered and published a flaw in WPA2 that allows anyone to break this security model and steal data flowing between your wireless device and the targeted Wi-Fi network, such as passwords, chat messages and photos.

“The attack works against all modern protected Wi-Fi networks,” the researchers wrote of their exploit dubbed “KRACK,” short for “Key Reinstallation AttaCK.”

“Depending on the network configuration, it is also possible to inject and manipulate data,” the researchers continued. “For example, an attacker might be able to inject ransomware or other malware into websites. The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected.”

What that means is the vulnerability potentially impacts a wide range of devices including those running operating systems from Android, Apple, Linux, OpenBSD and Windows.

As scary as this attack sounds, there are several mitigating factors at work here. First off, this is not an attack that can be pulled off remotely: An attacker would have to be within range of the wireless signal between your device and a nearby wireless access point.

More importantly, most sensitive communications that might be intercepted these days, such as interactions with your financial institution or browsing email, are likely already protected end-to-end with Secure Sockets Layer (SSL) encryption that is separate from any encryption added by WPA2 — i.e., any connection in your browser that starts with “https://”.

Also, the public announcement about this security weakness was held for weeks in order to give Wi-Fi hardware vendors a chance to produce security updates. The Computer Emergency Readiness Team has a running list of hardware vendors that are known to be affected by this, as well as links to available advisories and patches.

“There is no evidence that the vulnerability has been exploited maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to count on Wi-Fi to deliver strong security protections,” reads a statement published today by a Wi-Fi industry trade group. “This issue can be resolved through straightforward software updates, and the Wi-Fi industry, including major platform providers, has already started deploying patches to Wi-Fi users. Users can expect all their Wi-Fi devices, whether patched or unpatched, to continue working well together.”

Sounds great, but in practice a great many products on the CERT list are currently designated “unknown” as to whether they are vulnerable to this flaw. I would expect this list to be updated in the coming days and weeks as more information comes in.

Some readers have asked if MAC address filtering will protect against this attack. Every network-capable device has a hard-coded, unique “media access control” or MAC address, and most Wi-Fi routers have a feature that lets you only allow access to your network for specified MAC addresses.

However, because this attack compromises the WPA2 protocol that both your wireless devices and wireless access point use, MAC filtering is not a particularly effective deterrent against this attack. Also, MAC addresses can be spoofed fairly easily.

To my mind, those most at risk from this vulnerability are organizations that have not done a good job separating their wireless networks from their enterprise, wired networks.

I don’t see this becoming a major threat to most users unless and until we start seeing the availability of easy-to-use attack tools to exploit this flaw. Those tools may emerge sooner rather than later, so if you’re super concerned about this attack and updates are not yet available for your devices, perhaps the best approach in the short run is to connect any devices on your network to the router via an ethernet cable (assuming your device still has an ethernet port).

From reading the advisory on this flaw, it appears that the most recent versions of Windows and Apple’s iOS are either not vulnerable to this flaw or are only exposed in very specific circumstances. Android devices, on the other hand, are likely going to need some patching, and soon.

If you discover from browsing the CERT advisory that there is an update available or your computer, wireless device or access point, take care to read and understand the instructions on updating those devices before you update. Failing to do so with a wireless access point, for example can quickly leave you with an expensive, oversized paperweight.

Finally, consider browsing the Web with an extension or browser add-on like HTTPS Everywhere, which forces any site that supports https:// connections to encrypt your communications with the Web site — regardless of whether this is the default for that site.

And the plot thickens: Hackers Entered Equifax Systems in March

Equifax previously disclosed data was potentially accessed in May

Hackers roamed undetected in Equifax Inc.’s computer network for more than four months before its security team uncovered the massive data breach, the security firm FireEye Inc. said this week in a confidential note Equifax sent to some of its customers.

FireEye’s Mandiant group, which has been hired by Equifax to investigate the breach, said the first evidence of hackers’ “interaction” with the company occurred on March 10, according to the Mandiant report, which was reviewed by The Wall Street Journal.

Equifax had previously disclosed that data belonging to approximately 143 million Americans was potentially accessed in May. It isn’t known when Equifax learned from Mandiant that the hacking activity began in March, not May. Equifax wasn’t available for comment.

Equifax has said it didn’t discover the breach until July 29. Days later it called in Mandiant. Equifax didn’t disclose the breach until Sept. 7.

The attack, which is being probed by the Federal Bureau of Investigation, is one of the most significant data breaches given the scope of the information disclosed: people’s names, addresses, dates of birth and Social Security numbers. In its wake, consumers, customers, regulators and legislators have been asking how the attack occurred and whether Equifax took sufficient measures to protect such sensitive information.

Equifax sent the Mandiant report to some customers, many of which are financial firms, with a cover letter dated Tuesday, Sept. 19, that was signed by the company’s new chief information officer, Mark Rohrwasser, and new chief security officer, Russ Ayres. Equifax last Friday announced the departure of the two executives who previously held those positions.

In a progress report that accompanied that announcement last Friday, Equifax said hackers accessed consumers’ data from May 13 through July 30. It didn’t mention in that report that the attack had begun at an earlier date.

Mandiant’s report this week noted the hackers accessed one of Equifax’s servers by taking advantage of a flaw in software called Apache Struts, used by many companies to build interactive websites.

Two days before the access occurred, on March 8, security researchers at Cisco Systems Inc. warned of the flaw in Struts and a patch was issued by the Apache Software Foundation. Equifax in its report last week said its security staff “took efforts” to fix the system, saying it understood the intense focus outside the company on patching efforts and that its review was ongoing.

After interacting with Equifax’s server in early March, the hackers then entered the computer command “Whoami,” Mandiant wrote. This command would have given the attackers the username of the computer account to which they had just gained access, an early step in a hacking attempt.

Investigators have not determined for certain whether the March incident was issued by the data thieves or a different set of hackers, but it was likely the beginning of a monthslong reconnaissance mission, according to a person familiar with the investigation. It is common for attackers to lurk for months after their initial break-in as they probe corporate systems—the digital equivalent of trying as many doorknobs as possible to see which doors can be opened.

The March activity was likely a result of the hackers “spamming the internet for vulnerable systems,” said Johannes Ullrich, dean of research with the SANS Technology Insitute, a cybersecurity training school.

It isn’t surprising that the hackers took weeks before accessing the sensitive data, Mr. Ullrich said. “Typically, you first build out a beachhead so that it’s difficult to get kicked out,” he added.

On average, it takes companies close to 100 days to discover that they have been hacked, FireEye said in a report released earlier this year. In Equifax’s case, it took 141 days.

Eventually, between May 13 and late July, the attackers accessed files that contained Equifax credentials, such as username and password, and “performed database queries that provided access to documents and sensitive information stored in databases in an Equifax legacy environment,” the Mandiant report said.

Overall, the attackers accessed “numerous database tables in several databases,” the Mandiant report said.

The report added that the attackers “compromised two systems” that support Equifax’s online dispute web application. This is the place where consumers go to dispute information on their credit reports.

The hackers also set up about 30 Web shells—hidden pages that would allow them to remotely run commands on Equifax’s systems even if the Struts vulnerability was patched, the report said. The attackers “remotely accessed” the Equifax systems from approximately 35 “distinct public IP addresses,” it added.

The identity of the hackers is still unknown. Mandiant said in its letter that it hadn’t been able to attribute the breach to any “threat group actor” it currently tracks. Nor did the “tools, tactics and procedures” used overlap with those seen in previous investigations by the firm.

 

Network Safety: Experts Weigh In

If you missed our Cybersecurity Session “Cybersecurity for CEO’s- The Game Has Changed” at The NAA Education Conference, no worries. Our friends at Multi-Housing News have published a great article for you. Special thanks to Sanyu Kyeyune for attending our session and writing the article.

At NAA’s recent conference in Atlanta, panelists shared best practices for keeping vital network information safe from attack.

The panel included Chad Hunt, supervisory special agent with the FBI; Dave McKenna, CEO of ResMan; Frank Santini, cybersecurity attorney of Trenam Law; Jeremy Rasmussen, cybersecurity director of Abacode; and Michael Reese, Chief Information Officer of USA Properties Fund, who moderated the session.

Reese opened the talk by underscoring the commercial real estate industry’s vulnerability to cyber-attacks: “Real estate sits on a goldmine of information, including intellectual property, personally identifiable information—things hackers want to go after.”

Understand Data Value

The cost of stolen information for a single customer can fetch $10-20 on the dark net, but the liability to an organization is $158 or more. This greater figure reflects the cost to recover data, the value of this information to competitors and regulatory fines incurred. Multiply this number by 50,000 customers and the cost amounts to $7.9 million—enough to put some property management firms out of business.

C-suite leaders that understand the total costs of cybersecurity are in better shape to manage a firm’s cyber health. “As a leader, you can’t be afraid to raise the red flag. It’s your responsibility to defend your company and your partners.”

Crafting a risk-based approach helps companies decide on what to defend and how much to spend. This plan should include a guide for CEOs interacting with the media and attorneys working with incident response companies. “There is always a tradeoff between usability and security. That’s why you need to engage with a firm that can bake security into a product from chip to the enterprise level,” Rasmussen warned. “Don’t try to bolt it on at the end.”

Improve Network Visibility

Once the value of data has been quantified, the next step to addressing a company’s cyber health is to ask how secure networks currently are, because on average, noted Rasmussen, by the time a threat has been identified, it has been active for up to 270 days.

A majority of clients lack visibility into their own networks,” Rasmussen explained. “In today’s world, it’s not a matter of if, it’s when. And not only that, but, are they already in?

One of the most common software attacks uses ransomware, which encrypts files—effectively eliminating access to important data—and threatens to delete or publish them until the victim pays an agreed-upon sum. However, organization that already has solid system backups in place can combat ransomware by reverting back to previously stored versions. Along with ransomware, phishing attempts, social engineering, attacks on crucial infrastructure, financial fraud and “zero-day” vulnerability (a hole in security unknown to the vendor, typically identified and exploited by hackers over a short time frame) have emerged as some of the most damaging cybersecurity threats.

For some organizations, the expenses associated with downtime and productivity could be crippling. Therefore, advised McKenna, it is crucial to be proactive ahead of time, rather than after a threat has surfaced, to mitigate the cost of recovering from a cyber-attack. “It still comes down to your people not being victims,” he said. “The technology won’t do it all for you.”

According to Hunt, email is the most common point of entry for a cyber-attacker. Because emailing and phone calls already poke holes into a security system, organizations must be vigilant in managing these activities to avoid a breach. One way to do this is by focusing security training on individuals with elevated privileges, such as system administrators and C-suite users, which are hot targets for hackers.

Know Who to Call

An order of operations might be to call your IT people to stop and contain the threat, contact your attorney to find out what the legal implications are around reporting, call your public relations firm to control the event in the media and then to contact law enforcement,” Rasmussen offered.

Company leadership should also rally IT teams to mandate routine password changes for all users and to require people to upgrade software instead of patching outdated platforms. It is also crucial to keep a list of key personnel to contact when an infiltration occurs. “Locally, the FBI is a good place to start, but you can also call the Secret Service in your area,” Hunt advised. “In either case, develop this personal relationship ahead of time, as local law enforcement has little authority at a corporate level.

He also suggested that if a particular individual within an organization becomes the victim of a cyber-attack, then this person should file a police report to avoid being implicated as a perpetrator. When interacting with local authorities, Hunt added, it is most effective to do so in a controlled, documented manner.

Thirteen years ago, there was much less information-sharing with law enforcement, but now it’s more of a two-way street,” Hunt explained. “The FBI can gather information without necessarily having to open a federal investigation.

Santini encouraged leadership to secure a forensic investigator that will supervise the handling of evidence and assist in documentation—actions that can be helpful in the event of legal repercussions—and to ensure that attorney-client privilege keeps these interactions private.

Rally Vendors

Another important questions that C-suite leaders need to ask themselves is, “What are your partners and their partners doing to ensure cyber safety?

McKenna emphasized that having a conversation with vendors and suppliers will help reinforce the company priorities, identify the degree of protection already in place and define a plan for handling an intrusion in the future. “You need to know if your vendor will indemnify you for the cost of a breach, if there is a mutual indemnification clause and what level of insurance the vendor requires of its partners,” Santini encouraged. “Make sure you have written agreements with your cloud provider and other suppliers, and negotiate these terms with the help of a lawyer.

Ultimately, it is up to C-level employees to develop vendor relationships, rather than making cybersecurity a grassroots effort led by an IT department. “There needs to be a separation of duties, just like how a company might hire one accounting team for auditing and another for taxes,” said Rasmussen. “Cybersecurity should be handled the same way.

Prioritize Efforts

The panel discussion concluded with a punch list of items to help C-level leaders put a cybersecurity plan into action. Here are some key features:

  • Detection using 24/7 monitoring and incident response to gain immediate feedback on the effect of a network security initiative
  • Implementation of organizational policy/procedures, which requires a cultural shift and buy-in from all members of an organization
  • Add-in of other annual assessments, such as penetration testing, phishing, etc., to improve visibility into a network
  • Engagement of IT teams to support continuous improvement and governance
  • Understanding of “zero-day” threats
  • Encouraging collaboration across all stakeholders

 

 

 

 

 

House Votes in Favor of Letting ISPs Sell Your Browsing History

Your internet history and browsing habits are for sale, and the House voted Tuesday to keep it that way, rolling back rules that would have barred internet service providers from selling your data without consent.

The measure would bar the Federal Communications Commission from enforcing rules it passed last year, during President Barack Obama’s administration, that would have required broadband providers to get your explicit consent before they could sell your personal data.

Before Tuesday’s the vote, representatives who wanted to keep the rules stripped the debate down to something as mundane as buying underwear online, privately.

“I know there has got to be somebody in this body who believes [internet service providers] should not have anybody’s underwear size,” said Rep. Keith Ellison, D-Minnesota.

With strong opposition from Democrats, the measure narrowly passed in the House by a 215-205 vote. No Democrats voted for the bill, and 15 Republicans opposed it. A similar version squeaked through the Senate last Thursday on a party-line vote of 50-48.

The president’s signature is all that is needed now to roll back the rules, leaving consumer data fair game for internet service providers and, crucially, barring the FCC from issuing similar protections in the future. The White House said in a statement on Tuesday that it “strongly supports” the repeal.

After the vote, the Internet & Television Association issued a statement applauding the congressional action to repeal “the FCC’s misguided rules.”

“With a proven record of safeguarding consumer privacy, internet providers will continue to work on innovative new products that follow ‘privacy-by-design’ principles and honor the FTC’s successful consumer protection framework,” the group said in a statement. “We look forward to working with policymakers to restore consistency and balance to online privacy protections.”

CTIA, formerly the Cellular Telecommunications and Internet Association, an advocacy group for the industry, applauded the measure’s sponsors last week for “seeking a common-sense and harmonized approach to protecting Americans’ privacy.”

“Wireless carriers are committed to safeguarding consumer privacy, and we support regulatory clarity and uniformity across our digital economy,” CTIA said in a statement.

But internet privacy advocates are framing this as a battle between privacy and profits.

Kate Tummarello, a policy analyst at the San Francisco based Electronic Frontier Foundation, said the “commonsense rules” Congress voted to repeal were designed “to protect your data” and keep internet service providers from doing a “host of creepy things” without your consent.

“Of course, the ISPs that stand to make money off of violating your privacy have been lobbying Congress to repeal those rules,” she said in a statement before the vote. “Unfortunately, their anti-consumer push has been working.”

The measure has also spawned a call to action from Data Does Good, a company that wants to empower people to leverage their data to help in the fight for online privacy rights.

The premise: Give Data Does Good your Amazon shopping history, which they say they’ll automatically anonymize and pool with others before selling it to retailers.

Data Does Good will then donate $15 on your behalf to a non-profit of your choice that is fighting for privacy rights, such as the Electronic Frontier Foundation or the ACLU.

Still more to come.  Remember the NSA already has all of this information.

UPS Tests “Last Step” Drone Delivery

Test demonstrates potential efficiencies drones can provide on rural delivery routes

Unlike previous drone tests, UPS/Workhorse test incorporates drone delivery into day-to-day delivery operations

Earlier this week, UPS announced that it has successfully tested a delivery drone that launches from the top of a UPS® package car, autonomously delivers a package to a home and then returns to the vehicle while the delivery driver continues along the route to making deliveries.

UPS, like Amazon, is working to reduce delivery times and its growing logistics bill. You can read more about Amazon’s efforts in my Amazon Prime Air Update.

The test was conducted on Monday in Lithia, Fla. in partnership with Workhorse Group (NASDAQ: WKHS), an Ohio-based battery-electric truck and drone developer. Workhorse built the drone and the electric UPS package car used in the test.

The drone used in Monday’s test was the Workhorse  HorseFly™ UAV Delivery system.. It’s an octocopter that’s fully integrated with Workhorse’s line of electric/hybrid delivery trucks. The drone docks on the roof of the delivery truck. A cage suspended beneath the drone, extends through a hatch into the truck. A UPS driver inside loads a package into the cage and presses a button on a touch screen, sending the drone on a preset autonomous route to an address. The battery-powered HorseFly drone recharges while it’s docked. It can carry a package weighing up to 10 pounds.

I like UPS’s approach to studying how drone delivery can reduce costs. A reduction of just one mile per driver per day over one year can save UPS up to $50 million. UPS has about 66,000 delivery drivers on the road each day. It’s easy to see how a delivery program like this, at least in rural areas where homes are far apart and drivers have to travel long distances to make a single delivery, has the potential to save UPS a ton of money. A program like this also has environmental benefits.

I’m encouraged to see companies like Amazon and UPS working to realize the cost saving potential of UAV’s. I’m especially encouraged to see the both companies refining their approaches into programs that have the potential to be deployed in the field in the near-term future.

Way to go UPS!

UPS serves on the FAA’s drone advisory committee.

Originally posted by Carl Bruckner
President at Concentric Sky.