SafeNet

Home » The Art of Data Protection

Internet of Things Security - IoT Nightmares Rags to Riches

Marty didn’t always have it easy. Growing up, he lived in poverty for much of his young life, doing odd jobs around his small town to provide for his family. His small town upbringing and family struggles taught him early on the importance of hard work, integrity, and to trust those around him. When he wasn’t working or going to school, he would spend hours reading classic literature and history. Marty, even with all of his troubles, was top of his class.

You can imagine how elated he and his family were for him to get a full college scholarship at an Ivy League school. Just like his childhood and teenage years, his college years were no different. He worked hard and graduated at the top of his class with a finance degree, and he was now off to New York City to work his way to the top of a major investment firm.

Dedication, financial responsibility and good investments – both for himself and his clients – paid off. Thanks to a lifetime of saving and avoiding extravagance, by the time he reached the age of 28, Marty was nearly a millionaire. Marty liked his career because it was challenging, and it also gave him the chance to give back by helping people get the money they needed to give their families better lives. As a result, even with all of the riches, Marty didn’t lose his passion, work ethic, and optimism; he believed others would do the right thing when given the opportunity.

This made Marty a great boss and friend. It’s also what made him a target.

“Malevolent” Marie, his assistant, saw an opportunity and took advantage of Marty’s trusting good nature. She had visited his NYC home to see how Marty and his family lived, had an idea of his salary based on financial records, and – unfortunately for Marty – had a key to his office and desk. This is all the info she would need.

For as savvy as Marty was academically, his trusting nature and faith in people led to ignorance when it came to security awareness.

For weeks, Marty had talked to Marie about his plans to take him family on a safari vacation and “unplug” for a while. And Marie had made plans of her own. The day finally came when Marty left early for his vacation. While he was on a flight, Marie was back in the office, using her key to unlock Marty’s office and search through his locked desk. There she found the golden ticket—a paper with all of Marty’s user names and passwords. Marie grabbed her phone, snapped a picture, returned everything to its place and went home.

Once she knew Marty would be out-of-pocket, unable to retrieve any email, Marie went to a local coffee shop with free Wi-Fi, took out a new tablet that she recently purchased from a street vendor for this moment, and logged-in to Marty’s banking accounts using his username and password—quickly authorizing an immediate transfer of Marty’s accounts to an off-shore bank she had set-up.

Unfortunately for Marty, who had worked hard to build his nest egg, Marie now had her retirement plan set. She packed her bags, purchased a plane ticket, and headed to a Caribbean island to live off the money Marty had worked a lifetime to earn.

By the time Marty returned home and put together all of the pieces, it was too late. “Malevolent” Marie was already gone with his life savings… and his nightmare had just begun.


IoT Nightmares LogoIn the above scenario, Marty would have to go through legal channels to attempt to locate Marie, seize the account funds, and bring her back from the Caribbean for justice. One could only imagine Marty’s dismay when he first realized what had happened, but how could this nightmare be avoided?

A critical security misstep here was Marty’s lack of two-factor authentication for his mobile banking application. Too many individuals rely on username and password for account access, and often times, they write-down those same passwords on paper or save them in documents they believe are safeguarded.

Had Marty signed-up for the two-factor authentication option offered by his bank, Marie would have needed to not only locate his username credential, but also obtained Marty’s token for the next layer of account access protection.

To find out more about how two-factor authentication can help you, visit our Online Banking Security page.

The IoT Nightmares don’t end here!

Check out the previous entries in the IoT Nightmares series — Who Turned Out the Lights? and Prison Break — and enter our IoT Nightmares Sweepstakes for a chance to win a Pebble smartwatch.

 

read more »

CLAS Consultant Update
By Iain Kothari-Johnson

Throughout 2014 more and more UK government agencies are asking SafeNet to help them encrypt sensitive data in motion.  In fact we’ve seen a double-digit percentage increase of SafeNet high-speed encryption shipments (1H 2013 vs 1H 2014) to the public sector.

Why encrypt data in motion?

We all know that sensitive data needs to be protected, especially in the public sector where citizen information is extremely sensitive.  But what happens to data in motion when it’s transmitted to other locations? Once it’s in motion, you’re no longer in control of it, and, if unencrypted, it can be ‘tapped’ with relative ease by cyber-criminals, or misdirected unintentionally either by human or machine error.

Why SafeNet?

SafeNet provides the world’s leading certified Layer 2 high speed encryptors that are fully assured by UK public sector and CAPS certified. These encryptors ensure the most secure data-in-motion protection, maximum performance, near-zero overhead with “set and forget” management, and lowest total cost of ownership.

Strongest Protection
SafeNet high-speed encryptors mitigate the risk of communication interception (Sniffing), traffic analysis and fibre tapping.

Among the solutions SafeNet offers are triple-certified CAPS, FIPS 140-2 Level 3, Common Criteria certified appliances that are listed in the NATO Information Assurance Product Catalogue for the protection of restricted information.

Maximum Performance & Efficiency
SafeNet high-speed encryptors enable public sector to make the most out of their expensive 10Gb pipes by encrypting sensitive data (often compliance bound).  Encrypt 10Gb pipes at line speed with almost zero latency and zero impact on network bandwidth or other network assets.

Lowest Total Cost of Ownership
SafeNet high-speed encryptors provide best-in-class enterprise high-speed encryption that can reduce network costs by as much as 50 percent, compared to solutions such as IPSEC that encrypt at Layer 3 for example.

To secure your data in motion, you need to encrypt it. By encrypting the data, you can be assured that however accessed by an unauthorized party, it is protected. The simplest and best approach is to provide protection that stays with the data, wherever it is being sent. High speed encryption does exactly that.

For more information on high-speed encryption for the public sector contact:

Iain Kothari-Johnson
SafeNet Public Sector Subject-Matter Expert
+44 7917 728290

Data in Motion Security Infographic

read more »

Prison Break - Internet of Things Security

Our new prisoner had been here only a few days, but he was already causing a stir among his fellow inmates. Thrown in with two-bit crooks, robbers, rapists, and murders, we all chuckled at the sight of him. Mid-twenties, slight, and no taller than 5’ 8”, Mark Davis looked wildly out of place among the inmate population at Jefferson Penitentiary. His dossier told another story. Part of a team of hackers accused of perpetrating some of the most prolific breaches the world had ever seen, for years he was known simply as De1!ingr.

His luck ran out. Convicted of 10 counts of Computer Misuse, De1!ingr found himself confined to a 6×8’ jail cell, and deprived of any contact with a computer whatsoever. And yet, he seemed at ease.

The other guards and I watched as he mingled—no—held court, with other inmates. They listened intently as he spoke, as if everything he said were the gospel.

“He’s getting along nicely,” the other guards would say sarcastically.

We were dumfounded. That is, until Sunday evening.

***

In the early hours of Monday morning I was awakened by the sound of a ringing telephone. It took the panicked voice on the other end several attempts to slow down and explain the situation: our resident hacker had escaped.

The security cameras told the story. Prisoners, normally relaxed, appeared to be more awake than normal. They stirred in their cells as if they knew what was to come. Something was on their schedules that wasn’t on ours.

Then, it happened. In an instant each of the cell doors slid open.

Then the doors to the cell block slid open… and finally the doors leading out to the yard.

The guards on duty were stunned, and admittedly slow to react. By the time they had donned their riot gear, the prisoners were running through all corners of the prison. Chaos followed, as outnumbered guards in riot gear fought to subdue the prisoners.

It took several hours before the guards were able to regain control of the prison, and return the prisoners to their cells.

A head count revealed only one prisoner to be missing. In the confusion, De1!ingr had slipped away from the other prisoners, and fled through an open gate to an awaiting getaway car.

An investigation revealed that our systems had been hacked from the outside, undoubtedly by De1!ingr’s partners in crime. He was gone, and our no-escapes record shattered.


IoT Nightmares LogoWhile the story above may seem improbable, research into the vulnerability of correctional facilities revealed that prison cells can indeed be opened by compromising Programing Logic Controllers (PLCs). PLCs are small computers at the heart of keyless correctional facilities. They can be programmed to control a wide variety of things in a correctional facility including security cameras, to temperature controls, and cell doors.

Organizations have only recently become aware of the vulnerability of PLC systems, in large part due to the Stuxnet breach. Stuxnet was one of the first attacks designed to target PLCs with the goal of compromising nuclear centrifuges, and it did so by signing malware with a private key, stolen from a certificate authority, to make it appear as trusted code. Over time this code worked its way to the PLC system, and wreaked havoc. Using a similar approach researchers have managed to compromise the systems of correctional facilities, and manipulate the cell doors.

Certificate Authorities, form the root of trust for the systems we depend on every day. When private keys and certificates are compromised the systems built on that trust fall apart. Preventing attacks of this type requires robust security for the private keys and certificates to ensure only legitimate code is signed. Hardware Security Modules (HSMs) are designed for this purpose, and are the best way to protect cryptographic keys and certificates.

For more information, visit our HSMs for Code Signing page.

The IoT Nightmares don’t end here!

Check out the previous entry in this series, IoT Nightmares: Who Turned Out the Lights?, and enter our IoT Nightmares Sweepstakes for a chance to win a Pebble smartwatch.

read more »

Between rising Internet traffic and trends such as big data, corporate networks are taxed. And with more data being transmitted over networks each day, this opens organizations up to ever-evolving threats and ever-devious cyber-criminals – which can result in huge losses.

A recent Spiceworks survey revealed that 29% of IT pros aren’t encrypting any data in motion, and 74% of those that are encrypting, don’t trust their solutions to be highly effective. This infographic presents the case for how to secure your data in motion effectively as your data needs grow.

Data in Motion Security Infographic

read more »

IoT Nightmares - Smart Grid Attacks

You have a big meeting tomorrow. A large partner is flying in from the west coast to discuss a new joint offering for the cloud. There is so much to prepare for: you need to finalize the presentation, check to make sure WebEx is set-up, and then print off projection reports. You have got to get some sleep so you can wake up early and get this all done by the 9 am start! Alarm. Set.

You wake up, and feel well rested. It is quiet in the house; the birds are chirping; the sun is shining bright. It feels like a relaxing Saturday morning.

Wait! You never feel this refreshed first thing on a weekday morning. The sun is shining? How can that be? You had set the alarm for 5 am! What time is it on the iPhone? 8 am! How? You triple checked the alarm last night.

Then you realize that you still might be alright. You can quickly get ready, start the coffee pot, call into the office for help, and jet out the door. As you rush through the better part of your morning routine, you realize the coffee maker won’t turn on, and the digital display is entirely blank. Must be broken. It’s going to be that kind of day.

At least your cell still works (even though the battery’s a bit low). You call a colleague at the office to see if she can help you. You get an error tone. You try again and get the same thing. What is going on? No time.

You have to get to the office stat, and decide you better take the back roads to avoid traffic lights. You arrive to the office and run up to the door. What now? Your badge won’t work at the front door! It’s not Saturday is it? No. No, it’s definitely Thursday. Why is the office so dark? Other co-workers are arriving now. They look just as rushed and confused.

No alarm. No coffee. No power at the office. No power… anywhere. That’s it! Your town has been hit by a massive blackout.

But this isn’t just any blackout. There wasn’t a massive demand surge on the power grid that caused it to break down. Unbeknownst to you, a hacker group penetrated the network of your local energy company. They were able to get into the system and take it over, shutting down all of the power.

Your world has been blacked out – and it could stay that way for a very long time.


IoT Nightmares LogoWe no longer live in a manual world; we are all connected, including the smart grid—the backbone of the utility and energy market.  From the meters at your home, to communications going back to the utility company, trust must be established at every link. This ensures devices are identified and authentic, software updates in the field are authorized, and access to the systems monitoring and managing the grid are controlled and authenticated.

Without this trusted link, hackers could easily penetrate the grid using sophisticated malware and other tactics- ultimately overriding the grid. Maybe they would start by pushing an unauthorized software update to the meters controlling and monitoring the power to your home; maybe they would get into the central utility operations center and turnoff the power to a section of the grid; maybe they would hit the hacker jackpot and turnoff an entire region.

Smart devices are convenient and efficient. In the case of utilities, the Internet of Things (IoT) is allowing us to better monitor our energy consumption and control its use during peak periods so we can conserve as many resources as possible.

The energy and utility market players know this and they also know the threats that surround it, hence why they have worked with leading providers on building in robust security at the device, communication, and application layers of the smart grid infrastructure.

They have worked with device manufacturers to ensure a trusted supply chain is established during the manufacturing process and that identities are assigned to each meter or meter reader out in the field; they work with their software application developers to ensure in-field firmware updates are authorized and properly provisioned; they implement security technologies to ensure communications are secure and devices. The list goes on.

This infrastructure is only as secure as the private keys and certificates used to protect it—this is where a solid PKI environment becomes critical to avoiding this particular IoT Nightmare. Visit our Smart Grid Security page to learn more.

The IoT Nightmares don’t end here!

Enter our IoT Nightmares Sweepstakes for a chance to win a Pebble smartwatch, and check out our IoT Nightmares security game to explore vulnerabilities impacting this and other industries.

read more »

Recent Tweets

Cloud