Category Archives: Technology

Internet of Things (IOT), Big Data, Business Intelligence, Data Science, Digital Transformation: Hype or Reality? Facts and Figures

Posted on November 28, 2016 | Leave a comment

analytics

The Internet of things (IoT) is the internetworking of physical devices, vehicles, connected devices and smart devises, buildings and other items, embedded with electronics, software, sensors, actuators, and network connectivity that enable these objects to collect and exchange data without requiring human-to-human or human-to-computer interaction.

The worldwide IOT market spend will grow from $592 billion in 2014 to $1.3 trillion in 2019 according to IDC, while the installed base of IoT endpoints will grow from 9.7 billion in 2014 to 30 billion in 2020 where 40% of all data in the world will be data resulting from machines to machines communication (M2M).

Gartner survey shows that 43 % of Organizations are using or plan to implement the Internet of things in 2016. Gartner predicts $2.5M per minute in IoT spending and 1M new IoT devices sold every hour by 2021.

Industrial IOT (Internet of Things) market is estimated at $60 trillion by 2030.

By 2020, IoT will save consumers and businesses $1 trillion a year in maintenance, services and consumables.

By 2022, a blockchain-based business will be worth $10B, Blockchain being a digital platform that records and verifies transactions in a tamper and revision-proof way that is public to all.

By 2018, Cloud Computing infrastructure and platforms are predicted to grow 30% annually. Many enterprises have failed to achieve success with cloud computing, because they failed to develop a cloud strategy linked to business outcomes. Many companies are unsure how to initiate their cloud projects. The key success factors for Cloud projects are the good design of the Business Processes, the focus on the Services delivered and a good design of the transition from “As Is” to “To Be” Applications Architecture.

By 2019, Global Business Intelligence market will exceed $ 23 billion and Global Predictive Analytics market will reach $ 3.6 billion by 2020, driven by the growing need to replace uncertainty in business forecasting with probability and the increasing popularity of prediction as a key towards improved decision making. Predictive analytics is the branch of the advanced analytics which is used to make predictions about unknown future events. Predictive analytics uses many techniques from data mining, statistics, modeling, machine learning, and artificial intelligence to analyze current data to make predictions about future. It is about the increased need & desire among businesses to gain greater value from their data. Over 80% of data/information that businesses generate and collect is unstructured or semi-structured data that need special treatment using Big Data Analytics.

Big Data investments will account for over $46 Billion in 2016 reaching $72 Billion by the end of 2020.

A new brand of analysts called “data scientists” are introducing data science courses into degrees ranging from computer science to business. Data Scientists usually require a mix of skills like mathematics, statistics, computer science, algorithmic, machine learning and most importantly business knowledge. If Data Scientists are lacking business knowledge, they will definitely fail. They also need to communicate the findings to C-Level management to be able to take the right strategic decisions.

Data science needs to be a fundamental component of any digital transformation effort.

All Sectors will have to hire and educate a significant number of Data Scientists.

Let’s take the example of the Energy Sector where the Digital Transformation is playing a crucial role to reach Global and European Energy targets:

87% of CFOs agree that growth requires faster data analysis and 50% of Networked enterprises are more likely to increase their market-share.

With the 2020 energy climate package and the 2050 energy roadmap, Europe has engaged early in the transformation of its Energy system.

As the Industrial Revolution was the transition to new manufacturing processes between 1760 and1840, the digital revolution will be the disruptive transformation of the 21st century to a new economy, a new society and a new era of low-emission energy.

Many large Energy players will appoint Chief Digital Officers to drive the digital transformation of their processes and create new businesses.

Four recommendations to boost Customer Centric Energy innovations will heavily require the Digital Transformation roadmap to be adopted:

  1. Accelerate Customer innovations by making the Data available for Market participants
  2. Build massive Energy Services as downloadable Apps through Energy Exchange Platforms B2B, B2C and C2C
  3. Full Customer participation by making customer usability as simple as one click
  4. Build the pan-European Energy Union of Customer Services by extending to cross-border Energy Management

With the enablement of IOT, BI, Predictive Analytics and Data Science and the proven business models, we predict that 90% of Commercial and Industrial Customers and 70% of Residential Customers will be adopting Smart Energy technologies by 2025.

Let me ask you the following questions:

  • What are the Top 3 priorities that justifie Digital Transformation in your business?
  • Are you planning to setup a Data Science team?
  • Are you considering Digital for existing business improvement or for creating new businesses?

 

Leave a comment

Posted in Big Data, Cyber Security, Network, Security, Technology

Tagged ,

Top tips on protecting your devices from hackers

Posted on November 18, 2016 | Leave a comment

iot_hackers

Billions of fitness trackers, medical implants, surveillance cameras, home appliances, thermostats, baby monitors and computers in automobiles now are connected as part of a rapidly expanding (IoT) “internet of things.”

But many such devices were developed without security considerations. As a result, they are prime targets for hackers.

Tips to protect your devices:

How do I know if I have an internet of things device?

If you have a device that is capable of connecting to the internet or shares information over a wireless network in your home, it is potentially insecure and can be leveraged for a cyber attack.

Last month, hackers harnessed an army of 100 000 internet-connected devices around the world, such as DVRs and security cameras, to attack Dyn, which helps route internet traffic to its destination. It caused temporary internet outages to sites that included Twitter, PayPal, Pinterest, Reddit and Spotify.

Why should I care?

Hackers can penetrate devices to directly harm someone or to target critical infrastructure.

They can remotely disable a car, raise the thermostat on refrigerated foods, and toy with internet-enabled medical devices.

In the Dyn attack, hackers used the devices to flood the internet infrastructure company with data and knock it offline.

Such tactics also could be used against electrical and water systems, which are increasingly being put online to allow for remote operation.

What can I do?

Make sure you are aware of what you are connecting to the internet, and think about what is necessary.

That feature on your new bathroom scale that syncs with your phone is handy, but can you password protect it from getting hacked?

Any device that has the capabilities of remotely sending information elsewhere is vulnerable. Therefore, the software on that device and the network in connects to must be secured.

If a device comes with a default password, make sure you change it. You should also change the password on your wireless network at home. Use complex passphrases to ensure your device is not easily hacked.

The Dyn attack was made possible by devices with default passwords that were never changed.

Whom do I contact if I am worried about a device?

Contacting the manufacturer or vendor of the device may not always help.

This is especially true because innovation has frequently outpaced cyber security education.

In the US, the Homeland Security Department, for example, sends out public alerts about vulnerabilities through its US-CERT programme that you can sign up for on its website .

 

Leave a comment

Posted in Cyber Security, Hacking, Security, Technology

Tagged ,

The IT Guy Becomes a Player

Posted on November 10, 2016 | Leave a comment

it

Back in the days of mainframes, the ubiquitous “IT Guy” was responsible for planning, building and maintaining in-house infrastructure, as well as developing custom solutions to automate back-office functions. And while the role evolved some over the years, the first truly tectonic shift occurred when cloud computing emerged, combined with aftershocks in the form of mobile, social and Big Data. As technology became commoditized and consumerized, some analysts suggested in-house IT would become obsolete.

In reality, the role of the IT Guy is evolving into one of greater value and significance.

Recently, IDC and Forrester Research, two of the largest technology industry research firms, released predictions that IT is poised to take the lead as companies move toward their digital futures. The reason: While many companies outsourced their initial forays into cloud and mobile applications, they can’t continue to depend on external consultancies for much longer. Digital transformation is so critical to the future of businesses, the analysts say, that relying on external parties to provide solutions will be too dangerous. In-house IT will, of necessity then, become the core driver of “how business does business.”

Taking on a more important role

Even in today’s quick moving environments, the role of the IT department has increased in value across the enterprise, as it works with various internal teams and links its goals to the wider objectives of the business. A recent survey by Forrester asked company executives to name the most important senior leader in driving or supporting business transformation and innovation, and one of the top answers was the CIO – ahead even of the CEO.

As the master of all things digital, talented CIOs are perfectly positioned to take the lead on leveraging new tech elements to help shape a business’ overall strategy – and use high-performance networks to effectively pursue it.

This new, more challenging—but much more valuable—vision of the IT Guy’s role as an innovator and strategist also seems to be widely accepted, according to a survey by Gartner Research.

The CIO as chief innovator is trending up: The Gartner survey says more CIOs are adding value to their roles by leading boardroom discussions about using cloud, mobile, analytics and social technologies to drive new product development, online marketing and other customer-facing initiatives. The research firm concludes that the perception of the CIO has evolved from an IT service provider to an enabler of digital products that support business.

And that’s only the beginning. The next great leap for businesses will be the Internet of Things (IoT), and CIOs will have the opportunity to lead by solving the challenges that will come with IoT integration.

Three types of CIOs

“IoT requires the creation of a software platform that integrates the company’s IoT ecosystem with its products and services,” says Peter Sondergaard, senior vice president, Gartner Research, adding that CIOs will be the “builders” of the new digital platforms and high-performance networks that IoT projects will require. However, while the change of role might be adventurous for some, not every CIO wants to embrace the change from being operational to innovative, according to an IDC study, “The Changing Role of IT Leadership: CIO Perspectives for 2016.”

The study outlines three types of CIOs: operational (keeping the lights on and costs down); business services manager (providing an agile portfolio of business services); and chief innovation officer (business innovator).

Business innovator is the role CIOs must play in order to have a meaningful future, says Michael Jennett, vice president for enterprise mobile strategy at IDC.

“For these executives to stay relevant, they must shift their focus to transformation and innovation,” he adds. “CIOs who stay operational will find themselves further marginalized over the next three years.”

The big question for many businesses, then, is will the IT Guy be prepared to incorporate an understanding of the company’s mission and develop value-added strategies to generate, as Jennet says, “revenue out of what you do.”

Interestingly, the IDC study found that while more than 40 percent of line-of-business executives view the CIO as an innovator, only 25 percent of CIOs describe their own role that way, with more than 40 percent viewing themselves as primarily operational, and 34 percent as business service managers.

However, with global digital commerce revenue at over $1 trillion annually, CEOs see digital as fuel for growth, and expectations for IT departments are running high. To succeed in this environment, and bring value, the IT Guy needs to rise to the occasion and take on responsibility for digital innovation, as well as maintaining the infrastructure.

 

Leave a comment

Posted in Big Data, Security, Technology

Tagged ,

An Army of Million Hacked IoT Devices Almost Broke the Internet on Friday

Posted on October 24, 2016 | Leave a comment

 

internet-outage
A massive Distributed Denial of Service (DDoS) attack against Dyn, a major domain name system (DNS) provider, broke large portions of the Internet on Friday, causing a significant outage to a ton of websites and services, including Twitter, GitHub, PayPal, Amazon, Reddit, Netflix, Box, and Spotify.

But how the attack happened? What’s the cause behind the attack?

Exact details of the attack remain vague, but Dyn reported a huge army of hijacked internet-connected devices could be responsible for the massive attack.
Yes, the same method recently employed by hackers to carry out record-breaking DDoS attack of over 1 Tbps against France-based hosting provider OVH.

According to security intelligence firm Flashpoint, Mirai bots were detected driving much, but not necessarily all, of the traffic in the DDoS attacks against DynDNS.

Mirai is a piece of malware that targets Internet of Things (IoT) devices such as routers, and security cameras, DVRs, and enslaves vast numbers of these compromised devices into a botnet, which is then used to conduct DDoS attacks.

Since the source code of Mirai Botnet has already made available to the public, anyone can wield DDoS attacks against targets.

This time hackers did not target an individual site, rather they attacked Dyn that many sites and services are using as their upstream DNS provider for turning internet protocol (IP) addresses into human-readable websites.

The result we all know: Major sites and services including Twitter, GitHub, Reddit, PayPal, Amazon, AirBnb, Netflix, Box, Pinterest, and so on, were among hundreds of services rendered inaccessible to Millions of people worldwide for several hours on Friday.

“Flashpoint has confirmed that at least some of the devices used in the Dyn DNS attacks are DVRs, further matching the technical indicators and tactics, techniques, and procedures associated with previous known Mirai botnet attacks,” Flashpoint says in a blog post.

This type of attack is notable and concerning because it largely consists of unsecured IoT devices, which are growing exponentially with time. These devices are implemented in a way that they cannot easily be updated and thus are nearly impossible to secure.

Manufacturers majorly focus on performance and usability of IoT devices but ignore security measures and encryption mechanisms, which is why they are routinely being hacked and widely becoming part of DDoS botnets used as weapons in cyber attacks.

An online tracker of the Mirai botnet suggests there are more than 1.2 Million Mirai-infected devices on the Internet, with over 166,000 devices active right now.

In short, IoT botnets like Mirai are growing rapidly, and there is no easy way to stop them.

According to officials speaking to Reuters, the US Department of Homeland Security (DHS) and the FBI are both investigating the massive DDoS attacks hitting DynDNS, but none of the agencies yet speculated on who might be behind them.

Leave a comment

Posted in Cyber Security, Hacking, Security, Technology

Tagged ,

What Is Threat Intelligence? Definition and Examples

Posted on October 17, 2016 | Leave a comment

threat-intelligence-definition

Key Takeaways

  • Threat intelligence is the output of analysis based on identification, collection, and enrichment of relevant data and information.
  • Always keep quantifiable business objectives in mind, and avoid producing intelligence “just in case.”
  • Threat intelligence falls into two categories. Operational intelligence is produced by computers, whereas strategic intelligence is produced by human analysts.
  • The two types of threat intelligence are heavily interdependent, and both rely on a skilled and experienced human analyst to develop and maintain them.

Everybody in the security world knows the term “threat intelligence.” At this point, even some non-security folks have started talking about it.

But it’s still very poorly understood.

Raw data and information is often mislabeled as intelligence, and the process and motives for producing threat intelligence are often misconstrued.

If you’re new to the field, or you think your organization could benefit from a carefully constructed threat intelligence program, here’s what you need to know first.

Defining Threat Intelligence

Although most people believe they intuitively understand the concept, it pays to work from a precise definition of threat intelligence.

Threat intelligence is the output of analysis based on identification, collection, and enrichment of relevant data and information.

As already alluded to, raw data and information do not constitute intelligence. Equally, analyzed data and information will only qualify as intelligence if the result is directly attributable to business goals.

A truly well-planned and executed threat intelligence initiative has the potential to provide enormous benefit to your organization. On the flip side, if you aren’t careful, it’s easy to sink huge amounts of resources into an intelligence program without really achieving anything.

It would be foolish, then, to invest heavily in threat intelligence without having a clear idea of what you’re trying to achieve and why.

Simply “keeping the business secure” is not a valid motive for threat intelligence, but it’s the only driver for many organizations. The issue here is that as a goal it’s spectacularly generic, and almost impossible to measure.

A threat intelligence program with this motive is at serious risk of failing to identify what is and isn’t relevant or important.

A much better business goal, which is both relevant and tangible, would be to reduce operational risk by a given margin within a specified time period. Operational risk is a regularly measured and monitored business metric, and the results (however they’re derived) are there for all to see.

As a result, a threat intelligence program designed to reduce operational risk will be far more focused on those aspects of security that can be clearly linked to the markers used to measure cyber risk. As an example, intelligence relating to recent attacks on similar organizations within the same industry would be highly relevant, whereas analysis of the most recent high-profile attack in a totally different industry would not.

Intelligence Typologies

Perhaps the single most important phase of the whole process is analysis. During this phase, large quantities of raw data and information are processed into relevant, actionable intelligence.

But the actual analysis process can vary enormously depending on the desired output. Largely speaking, depending on the form of analysis used to produce it, threat intelligence falls into two categories: operational and strategic.

Operational intelligence is produced entirely by computers, from data identification and collection through to enrichment and analysis. A common example of operational threat intelligence is the automatic detection of distributed denial of service (DDoS) attacks, whereby a comparison between indicators of compromise (IOCs) and network telemetry is used to identify attacks much more quickly than a human analyst could.

Strategic intelligence focuses on the much more difficult and cumbersome process of identifying and analyzing threats to an organization’s core assets, including employees, customers, infrastructure, applications, and vendors. To achieve this, highly skilled human analysts are required to develop external relationships and proprietary information sources; identify trends; educate employees and customers; study attacker tactics, techniques, and procedures (TTPs); and ultimately, make the defensive architecture recommendations necessary to combat identified threats.

A common example of strategic intelligence is the use of threat actor TTPs to inform proactive security measures such as enhanced vulnerability and patch management or comprehensive security awareness training.

And it’s natural at this stage to wonder …

Which Is Better?

This question is problematic for two reasons.

First, it’s the natural question to ask when presented with two options, and second, it totally misses the point.

The reality of threat intelligence is that both operational and strategic intelligence are required. More than that, though, they actively rely on each other.

For a start, the fact that the end-to-end process for producing operational intelligence involves no human analysts is misleading.  As Levi Gundert points out in his threat intelligence white paper, achieving an automated operational workflow is highly dependent on the presence of at least one talented and experienced data architect. This person is responsible for designing, creating, and calibrating tools that are capable of performing this vital intelligence function.

And the only reason that any analysts are available to produce strategic intelligence is because the operational “heavy lifting” is being done automatically by computers. If that weren’t the case, intelligence analysts would be totally bogged down with detail and false positives.

If this is starting to seem like a “chicken-and-egg” situation, let us help you out.

To build a world-class threat intelligence capability, the first thing you’ll need is at least one highly skilled and experienced human analyst. Once a person or team with the right skillset is in place, they will need to move through three stages:

  1. Develop or procure the systems needed to automate the identification, collection, and enrichment of threat data and information.
  2. Create and maintain the tools needed to produce operational threat intelligence.
  3. Focus their attentions on the production of highly targeted and valuable strategic intelligence.

Sadly, many organizations never make it past stage one. Once they have an intelligence feed in place, they take action to mitigate the most basic threats using simple information such as IOCs and vulnerability announcements, and never progress to a level that would enable them to address real business needs and objectives.

If your threat intelligence capability is stuck at this level, you’re leaving a huge proportion of the business value of your threat intelligence feed on the table.

Don’t Settle, and Don’t Get Lost in the Woods

So far in this article, we’ve presented two clear and major dangers of developing a threat intelligence capability:

  1. Settling for simple threat data and information, instead of fighting for intelligence.
  2. Wasting valuable time and resources on producing intelligence that doesn’t further business goals.

To avoid these mistakes, you’ll need to keep pushing your analysts for more and better intelligence, while also stressing the importance of keeping things relevant.

Losing sight of either of these fundamental considerations can undermine the value of your program. Keep them at the forefront, though, and over time you’ll develop a truly world-class threat intelligence capability.

Leave a comment

Posted in Big Data, Cyber Security, Security, Technology

Tagged ,

IT Security Vulnerabilities that Can Lead to an Inside Job

Posted on September 27, 2016 | Leave a comment

Vlad de Ramos, a 22 year veteran at IT Management and IT Security, guest blog writer today, giving us some practical advice on IT Security Vulnerabilities.  What a timely piece of writing.  So many industries are facing security issues today both external and internal.  Vlad will cover how to take steps to guard your business from all fronts.  Please help me welcome Vlad to TheDigitalAgeBlog.

Data breach can happen to anyone and IT security failures are not only damaging and costly for businesses, but customers would suffer as well, and people lose their jobs too.

In a study conducted by Scott & Scott, LLP, researchers found that 85 percent of businesses suffered a breach in their data security. Despite the prevalence, about 46 percent did not employ encryption solutions following the IT security failure. About 74 percent of the companies surveyed report losing customers, while others faced potential lawsuits (59 percent) and fines (33 percent).

It’s not enough that you guard your business against outside threats. There are many dangers inside the organization that should be managed before they can cost your leadership team their jobs and the business its integrity.

Companies who take IT security seriously should guard their business against all fronts. Unfortunately, many companies admit that they are still lacking in terms of securing safety from the inside. And one of the reasons many organizations fail to set up effective safeguards is because they are in denial about the magnitude of IT security threats stemming from an inside job.

Here are some of the reasons your employees can contribute to IT security failures.

Inside Insider Jobs

There are a variety of reasons a company’s very own employees can take part in inside jobs such as financial gain, desire for power and recognition, revenge on a co-worker or boss, and response to blackmail from inside and outside the organization.

Some employees are lured into inside jobs due to their loyalty to some people in the organization or to colleagues who recently left on not-so-good terms, while others do it for personal and political beliefs.

There are also insider jobs that are linked to activist groups and organized crimes. In a 2012 report by Carnegie Mellon University’s CERT (computer emergency readiness team) Insider Threat Center, researchers found that out of 150 cases of IT security failures analyzed, about 16 percent were linked to organized crime.

According to a psychologist, Monica Whitty, from the University of Leicester, employees who “willingly” assist in IT security attacks may be suffering from one or more of the following conditions: narcissism, psychopathy, and Machiavellianism, which is defined as the “the employment of cunning and duplicity in statecraft or in general conduct”.

In a 2013 study by Centre for the Protection of National Infrastructure (CPNI), findings showed that people who engage in insider attacks might have two or more of the following qualities: low self-esteem, lack of ethics, immaturity, tendency to fantasize, impulsiveness, lack of conscientiousness, instability, and manipulativeness.

Regarding work behaviors, the CPNI study found that insiders often engage in unusual copying jobs such creating copies of sensitive materials beyond what is necessary and removing protective markings on documents when creating their own copies. Insiders also often engage in usual IT activities such as searching for keywords in a company-sensitive database.

Management Vulnerabilities

Motivations and unusual behaviors are just one side of the story.

The lack of an effective IT security protocol opens up vulnerabilities within the organization that employees can use. Some of these include:

  • Administrator and other privileged access that aren’t monitored.
  • Unattended company devices such as USB’s and laptops.
  • Hard drives that weren’t properly disposed.

But even with an advanced security practice, human error can still pose a threat. Most of the time these are innocent mistakes due to the lack of knowledge in IT security. These include improper file transfers, illegal uploads and downloads, as well as using personal devices in the workplace for business purposes.

In other cases they are intentional because of management issues. Disgruntled, burned out, and dissatisfied employees can turn to accomplices. The Verizon Data Breach Report 2016 have found that employees transferred data via USB before they left the company. Companies who have fraud detection were able to weed out the employees who provided information in weeks, but those who don’t identified them in months or years.

Secure Your Posts

Don’t just look for loopholes in the IT infrastructure. In ensuring the safety of your business and customers, you also have to analyze the status of the people within your organization. Ensure the security of all your posts by looking not just outside in but also inside out.
Please feel free to comment on Vlad’s post.

ABOUT THE AUTHOR:
Vlad
Vlad de Ramos has been in the IT industry for more than 22 years, focusing on IT Management, Infrastructure Design and IT Security. He is a certified information security professional, a certified ethical hacker, a forensics investigator, and a certified information systems auditor. Vlad joins Homegrown.ph to help increase knowledge on IT security awareness in the Philippines. Outside the IT field, he is a professional business and life coach, a teacher, and a change manager.

 

 

Leave a comment

Posted in Data Breach, Hacking, Hacks, Security, Technology

Tagged ,

Hackers take Remote Control of Tesla’s Brakes and Door locks from 12 Miles Away

Posted on September 21, 2016 | Leave a comment

Hack-Tesla

Next time when you find yourself hooked up behind the wheel, make sure your car is actually in your control.

Hackers can remotely hijack your car and even control its brakes from 12 miles away.

Today many automobiles companies have been offering vehicles with the majority of functions electronically controlled, from instrument cluster to steering, brakes, and accelerator.

These auto-control electronic systems not only improve your driving experience but at the same time also increase the risk of getting hacked.

The most recent car hacking has been performed on Tesla Model S by a team of security researchers from Keen Security Lab, demonstrating how they were able to hijack the Tesla car by exploiting multiple flaws in the latest models running the most recent software.

The team said the hacks worked on multiple models of Tesla and believed they would work across all marques.

“We have discovered multiple security vulnerabilities and successfully implemented remote, aka none physical contact, control on Tesla Model S in both Parking and Driving Mode,” Keen writes in a blog post. “We used an unmodified car with the latest firmware to demonstrate the attack.”
“As far as we know, this is the first case of remote attack which compromises CAN Bus to achieve remote controls on Tesla cars.”

In a YouTube video, the team of Chinese researchers Sen Nie, Ling Liu, and Wen Lu, along with director Samuel Lv, demonstrated how it could remotely take control of a Tesla’s brakes and apply the brakes from 12 miles away by compromising the CAN bus that controls many vehicle systems in the car.

The researchers were also able to remotely unlock the door of the car, take over control of the dashboard computer screen, open the boot, move the seats and activate the indicators and windscreen wipers, as well as fold in the wing mirrors while the vehicle was in motion.

The hack requires the car to be connected to a malicious WiFi hotspot and is only triggered when the car’s web browser is used.

The team demonstrated the hacks against a Tesla Model S P85 and Model 75D and said its attacks would work on multiple Tesla models. It was able to compromise the Tesla cars in both parking and driving modes at slow speed in a car park.

Tesla Releases Firmware v7.1 (2.36.31) To Patch It

“Within just 10 days of receiving this report, Tesla has already deployed an over-the-air software update (v7.1, 2.36.31) that addresses the potential security issues. The issue demonstrated is only triggered when the web browser is used, and also required the car to be physically near to and connected to a malicious Wi-Fi hotspot. Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly.”

Thankfully, the vulnerabilities were privately disclosed to Tesla and the company addressed the issues worldwide with an over-the-air software update.

The Keen team said it is Tesla’s “proactive attitude” towards its vulnerability report that made the fix available to its customers within ten days when other automakers required much time and more complex procedures to update vehicles following the major bug exposures.

The team has planned to release details of its hacks in coming days, Keen said on Twitter.

 

 

Leave a comment

Posted in Cyber Security, Hacking, Security, Technology

Tagged , , ,

Do you connect your mobile phones to rental cars?

Posted on September 7, 2016 | Leave a comment

One huge mistake people make when renting cars
Rental_Bluetooth

There are plenty of reasons to rent a car, from leaving a less reliable or gas-guzzling car behind on a long trip to getting around a city on a business trip or while your car is being repaired. It’s not necessarily cheap, but if you need to move around a lot, or go any substantial distance, it isn’t any worse than taking a cab or calling for an Uber, and it might be more convenient.

Is your company leadership connecting to rental cars with company phones and leaving text messages, contacts, call logs? Is there deal information or IP in those text messages?

There is a hidden danger, though, that not a lot of people realize. Rental companies upgrade their fleets regularly with newer-model cars, which means your rental has new technology, including a high-tech infotainment system. That’s not the bad part.

Newer infotainment systems let you pair up your smartphone via Bluetooth so you can take calls over the car’s audio system, dial from the center console or stream your music. Others include USB so you can get everything I just mentioned and charge your phone at the same time.

That’s also not the bad part, as long as you own the car. When you’re renting, however, it can be a danger.

When you connect up to a car with Bluetooth, the car stores your phone number to make it easier to connect later. It also stores your call logs, and possibly even your contacts. This isn’t something you want sitting around for the next renter.

Go into the settings (it will vary for every car model) and delete your smartphone from the list of previously paired Bluetooth gadgets. That should wipe your call log and contacts as well. If it doesn’t, look for an option to clear user data or do a factory reset. Talk to the employees at the car rental place if you can’t find these options.  Like any hard drive, you can possibly still recover data after it is wiped.

If you used the car’s navigation system to get around, be sure to go in and clear your location history. You don’t want the next person knowing where you’ve gone, or where you live. If you own the car and are selling it, you’ll want to do this kind of wiping as well.

Aside from privacy concerns, there’s a security concern, too. We now know that cars can be hacked, and as they get more advanced the chance that a car can get infected with a virus increases. If the car’s system was compromised by a hacker or previous renter, hooking up your phone would give a hacker access to everything on it.

The obvious solution is to not pair your phone with the car’s systems at all. If you want to listen to music, use an auxiliary cable to connect the headphone port on your phone to the audio system directly.  For charging, use the cigarette lighter instead of the USB port.

If you want to do hands-free calling, you can purchase a third-party Bluetooth audio kit that does the job.  It’s also great for adding this feature to an older car with a less advanced infotainment system.

Hopefully, the privacy concern with car infotainment systems should be going away in the future as Android Auto, Apple CarPlay and similar systems become standard on more cars. These systems don’t store any information, they just read it off your smartphone. So when you take your smartphone out of the car, none of your information stays.

Of course, it will be years or even decades until cars with less secure infotainment systems are off the market or no longer in used car lots. And you never know what other systems will come out in the future and how secure they’ll be.

Please share this information with everyone.

 

Leave a comment

Posted in Cyber Security, Data Breach, eDiscovery, Forensic, Hacking, Security, Technology

Tagged , ,

It’s a Bird, It’s a Plane . . . No, It’s a Drone. Long Awaited FAA Drone Regulations Finally Take Flight

Posted on September 6, 2016 | Leave a comment
The government is taking more steps to address safety concerns and regulate the aerial vehicles.

The government is taking more steps to address safety concerns and regulate the aerial vehicles.

It’s a bird.

It’s a plane.

No, it’s a drone. Also known as an unmanned aerial vehicle (UAV) or unmanned aircraft (UA).

And, technically, they’ve been around a long time, since at least 1849 when the Australians attacked Italy with unmanned balloons loaded with explosives. Even a young Marilyn Monroe, when she was known simply as “Norma Jean,” worked at a company called Radioplane making unmanned aircrafts during World War II.
13910427marilyn

Since then, as technology has advanced, which, in turn, has made the cost of older technology go down, what was once old, is now new again. Drones are making regular appearances in the movies (Divergent Series: Allegiant). The paparazzi (who are apparently tired of getting punched in the face) are using them. And some day, perhaps very soon, they may just be delivering your packages (Amazon Prime Air).

One of the earliest adopters of drones outside the military, however, has been the construction industry which has used drones to track the progress of construction projects and conduct site surveys such as this one showing the progress of Apple’s new campus in Cupertino:

The increasingly wide-spread use of drones prompted Congress in 2012 to enact the FAA Modernization and Reform Act of 2012. The Act tasked the Federal Aviation Administration (“FAA”) with establishing regulations to “provide for the safe integration of civil unmanned aircraft systems into the national airspace system as soon as practicable, but no later than September 30, 2015.”

The FAA missed its deadline.

However, on June 21, 2016, the FAA released its Small Unmanned Aircraft Systems (“Small UAS”) regulations (14 C.F.R. Part 107) which went into effect late this month on August 29, 2016.

So, what do contractors need to know about the Small UAS regulations? Here’s a summary:

Application of Regulations

  • UAS operations subject to the regulations include “building inspections” and “aerial photography.”

Unmanned Aircraft Requirements

  • Unmanned aircraft must weigh less than 55 lbs. and be registration. A link to the registration site can be found here.
  • Regulations do not apply to model aircraft flown for hobby or recreational purposes.

Unmanned Aircraft Pilot Requirements

  • A remote pilot in command must hold either a remote pilot certificate with a small UAS rating or be under the direct supervision of a person who holds a remote pilot certificate.
  • To qualify for a remote pilot certificate a person must either pass an initial aeronautical knowledge test at an FAA-approved knowledge testing center or hold a part 61 pilot certificate other than student pilot, complete a flight review within the previous 24 months, and complete a small UAS online training course provided by the FAA.
  • Part 61 certificate holders may obtain a temporary remote pilot certificate immediately upon submission of their application for a permanent certificate. Other applicants will obtain a temporary remote pilot certificate upon successful completion of TSA security vetting.

Operational Requirements

  • Unmanned aircraft must remain within the visual line of sight of the remote pilot in command and person manipulating the flight controls.
  • Unmanned aircraft may not operate over any person not directly participating in the operation and may not be operated under a covered structure or inside a covered stationary vehicle.
  • Unmanned aircraft may only be operated during daylight, or civil twilight (30 minutes before official sunrise to 30 minutes after official sunset, local time) with anti-collision lighting.
  • Unmanned aircraft must yield right of way to other aircraft.
  • Unmanned aircraft may not travel faster than 100 mph and may not fly higher than 400 feet above ground level or, if higher than 400 feet, remain within 400 feet of a structure.
  • There must be minimum weather visibility of 3 miles from the control station.
  • Operations in Class B, C, D and E airspace is allowed with air traffic control permission. Operations in Class G airspace is allowed without air traffic control permission.
  • Unmanned aircraft may not be operated from a moving aircraft. Unmanned aircraft may not be operated from a moving vehicle unless the operation is over a sparsely populated area.
  • Unmanned aircraft may not be operated carelessly or recklessly and may not carry hazardous materials.
  • Many of the restrictions above are waivable if an applicant can demonstrate that his or her operations can be safely conducted. A link to the waiver form can be found here.

So there you go. Happy flying. Be safe !!!!

Leave a comment

Posted in Security, Technology

Tagged , ,

Happy Birthday Internet: 25 years ago today the World Wide Web opened to the public

Posted on August 23, 2016 | Leave a comment
WWW
Above: Tim Berners-Lee, creator of the World Wide Web, speaks at LeWeb 2014
Image Credit: Chris O’Brien

On this day back in 1991, a British researcher working in Switzerland suddenly opened a little thing called the World Wide Web to the public.

And now, 25 years later, it’s safe to say that the WWW has changed just about every aspect of our lives — for better and for worse.

The child of Tim Berners-Lee, who was then working at CERN, it has had an impact so profound and complicated that it’s difficult to even know how to make sense of it all. For some entrepreneurs, it has created vast wealth. It has toppled industries and given rise to others. It has created unprecedented power to publish and bolstered free speech, even as it has coarsened public dialogue and allowed hate groups to organize.

But one thing we can marvel at today is its sheer size.
Consider:
There are 1.07 billion websites, though an estimated 75 percent are not active, according to Internet Live Stats.

The are 4.73 billion webpages.

And while the internet is more than just the World Wide Web, it’s worth noting that there are 3.4 billion people on the internet.

Finally, if you really want to go all nostalgic, be sure to check out the very first website, which went live a couple of weeks earlier on August 6. Or look at cat GIFs.

Leave a comment

Posted in Big Data, Technology

Tagged