Home » The Art of Data Protection
I scanned the street from my window, looking for anyone who may be out of place. The streets were empty, even for this hour. With a push of a button my car, which had been parked a few blocks away, roared to life, the headlights illuminating the street below as it made its way to the entrance of the warehouse.
Grabbing the briefcase, I quickly ran down the stairs and to the car now waiting for me. The rain was coming down in sheets. I searched the narrow street for any sign that I had been noticed. In the distance I could hear the sound of the trash trucks making their morning rounds, but the street was empty. I jumped in the car and closed the door.
“SiD, take me to the airport,” I commanded the car. With that, the car quickly programmed the fastest route to the airport and started down the road.
My plan is coming together, I thought.
3:06 AM, I had just enough time.
The car navigated out of the city and on to I-95 in route to my destination. With each mile marker, I could feel myself nearing freedom. My heart was racing. I made futile attempts to calm my nerves.
You’re fine. They have no idea where you are and where you are going.
For months I had been looking for a way out. Going to the authorities was out of the question; their pockets had been lined by the boss for years. Even the FBI was not to be trusted. My only hope was to seek the protection of the very people I had once called my enemy. And for that, I needed a bargaining chip. The contents of this briefcase represented my last chance at freedom.
Traffic was light through the tunnel. Semi-trucks were making their way to early morning deliveries, and a few cars shuttled their passengers to work. As the car emerged from the tunnel I could see a sign reading: AIRPORT 7 MILES, and I was hit with a wave of excitement. I was almost home free.
As we passed the first exit after the tunnel I noticed a car following closely behind me. Too close to be another automated car, I thought. Manual cars were rare–rarer still at this hour. I worked myself into a panic. This car had to be following me. Why else was he so close?
Through the rearview mirror I could make out three figures in the vehicle, and my heart sank. This is it. They have me.
Then, as quickly as it appeared, the car shifted lanes, and exited the highway. The relief was overwhelming and I laughed at my paranoia.
With just four miles to go my car merged into the right lane and took an unexpected exit. At first I thought that it was adjusting for traffic. Perhaps there was an accident up ahead, I reasoned. Then the car made a right, when it should have went left.
“SiD,” I commanded, “take me to the Airport.”
The car pressed on it course, seeming to ignore my command. Soon we were in the abandoned warehouse district, speeding past long forgotten loading docks. I tried again to reroute the vehicle to the airport, this time using the console, but it refused to break its course.
“Destination reached,” SiD announced as we came to a stop among rows of shipping containers stacked four high, and an older manual car beside them. Then three figures stepped into the beam cast by my headlights and started moving slowly in my direction.
My phone began to ring, and the car answered without prompting me to accept the call.
“You have something of mine, Mr. Thompson,” said the voice on the other end, “and I would like it back.”
Autonomous cars will change our commute forever. They have the ability to enhance the safety and efficiency of road travel, while potentially making our time in the car more productive. Although this technology is exciting, researchers have only recently begun to understand the security challenges inherent in vehicles on the road today. Videos like the one below demonstrate just how vulnerable and dangerous an improperly secured car can be.
Autonomous navigation will increase the potential harm that could be caused by skilled hackers manipulating our vehicles. With recent estimates predicting that 75% of vehicles on the road will be autonomous by 2040, it is clear that the security of this technology must become a top priority.
The IoT Nightmares don’t end here!
Check out the previous entries in the IoT Nightmares blog series:
- Who Turned Out the Lights? – Utilities’ IoT Nightmare
- Prison Break – Correctional Facilities’ IoT Nightmare
- From Riches to Rags – Financial Services’ IoT Nightmare
You can also enter our IoT Nightmares Sweepstakes by October 31st for a chance to win a Pebble smartwatch, and play our IoT Nightmares Security Game to explore the risks the Internet of Things introduces to retail, healthcare, financial services, and other industries.
Marty didn’t always have it easy. Growing up, he lived in poverty for much of his young life, doing odd jobs around his small town to provide for his family. His small town upbringing and family struggles taught him early on the importance of hard work, integrity, and to trust those around him. When he wasn’t working or going to school, he would spend hours reading classic literature and history. Marty, even with all of his troubles, was top of his class.
You can imagine how elated he and his family were for him to get a full college scholarship at an Ivy League school. Just like his childhood and teenage years, his college years were no different. He worked hard and graduated at the top of his class with a finance degree, and he was now off to New York City to work his way to the top of a major investment firm.
Dedication, financial responsibility and good investments – both for himself and his clients – paid off. Thanks to a lifetime of saving and avoiding extravagance, by the time he reached the age of 28, Marty was nearly a millionaire. Marty liked his career because it was challenging, and it also gave him the chance to give back by helping people get the money they needed to give their families better lives. As a result, even with all of the riches, Marty didn’t lose his passion, work ethic, and optimism; he believed others would do the right thing when given the opportunity.
This made Marty a great boss and friend. It’s also what made him a target.
“Malevolent” Marie, his assistant, saw an opportunity and took advantage of Marty’s trusting good nature. She had visited his NYC home to see how Marty and his family lived, had an idea of his salary based on financial records, and – unfortunately for Marty – had a key to his office and desk. This is all the info she would need.
For as savvy as Marty was academically, his trusting nature and faith in people led to ignorance when it came to security awareness.
For weeks, Marty had talked to Marie about his plans to take him family on a safari vacation and “unplug” for a while. And Marie had made plans of her own. The day finally came when Marty left early for his vacation. While he was on a flight, Marie was back in the office, using her key to unlock Marty’s office and search through his locked desk. There she found the golden ticket—a paper with all of Marty’s user names and passwords. Marie grabbed her phone, snapped a picture, returned everything to its place and went home.
Once she knew Marty would be out-of-pocket, unable to retrieve any email, Marie went to a local coffee shop with free Wi-Fi, took out a new tablet that she recently purchased from a street vendor for this moment, and logged-in to Marty’s banking accounts using his username and password—quickly authorizing an immediate transfer of Marty’s accounts to an off-shore bank she had set-up.
Unfortunately for Marty, who had worked hard to build his nest egg, Marie now had her retirement plan set. She packed her bags, purchased a plane ticket, and headed to a Caribbean island to live off the money Marty had worked a lifetime to earn.
By the time Marty returned home and put together all of the pieces, it was too late. “Malevolent” Marie was already gone with his life savings… and his nightmare had just begun.
In the above scenario, Marty would have to go through legal channels to attempt to locate Marie, seize the account funds, and bring her back from the Caribbean for justice. One could only imagine Marty’s dismay when he first realized what had happened, but how could this nightmare be avoided?
A critical security misstep here was Marty’s lack of two-factor authentication for his mobile banking application. Too many individuals rely on username and password for account access, and often times, they write-down those same passwords on paper or save them in documents they believe are safeguarded.
Had Marty signed-up for the two-factor authentication option offered by his bank, Marie would have needed to not only locate his username credential, but also obtained Marty’s token for the next layer of account access protection.
To find out more about how two-factor authentication can help you, visit our Online Banking Security page.
The IoT Nightmares don’t end here!
CLAS Consultant Update
By Iain Kothari-Johnson
Throughout 2014 more and more UK government agencies are asking SafeNet to help them encrypt sensitive data in motion. In fact we’ve seen a double-digit percentage increase of SafeNet high-speed encryption shipments (1H 2013 vs 1H 2014) to the public sector.
Why encrypt data in motion?
We all know that sensitive data needs to be protected, especially in the public sector where citizen information is extremely sensitive. But what happens to data in motion when it’s transmitted to other locations? Once it’s in motion, you’re no longer in control of it, and, if unencrypted, it can be ‘tapped’ with relative ease by cyber-criminals, or misdirected unintentionally either by human or machine error.
SafeNet provides the world’s leading certified Layer 2 high speed encryptors that are fully assured by UK public sector and CAPS certified. These encryptors ensure the most secure data-in-motion protection, maximum performance, near-zero overhead with “set and forget” management, and lowest total cost of ownership.
SafeNet high-speed encryptors mitigate the risk of communication interception (Sniffing), traffic analysis and fibre tapping.
Among the solutions SafeNet offers are triple-certified CAPS, FIPS 140-2 Level 3, Common Criteria certified appliances that are listed in the NATO Information Assurance Product Catalogue for the protection of restricted information.
Maximum Performance & Efficiency
SafeNet high-speed encryptors enable public sector to make the most out of their expensive 10Gb pipes by encrypting sensitive data (often compliance bound). Encrypt 10Gb pipes at line speed with almost zero latency and zero impact on network bandwidth or other network assets.
Lowest Total Cost of Ownership
SafeNet high-speed encryptors provide best-in-class enterprise high-speed encryption that can reduce network costs by as much as 50 percent, compared to solutions such as IPSEC that encrypt at Layer 3 for example.
To secure your data in motion, you need to encrypt it. By encrypting the data, you can be assured that however accessed by an unauthorized party, it is protected. The simplest and best approach is to provide protection that stays with the data, wherever it is being sent. High speed encryption does exactly that.
For more information on high-speed encryption for the public sector contact:
SafeNet Public Sector Subject-Matter Expert
+44 7917 728290
Our new prisoner had been here only a few days, but he was already causing a stir among his fellow inmates. Thrown in with two-bit crooks, robbers, rapists, and murders, we all chuckled at the sight of him. Mid-twenties, slight, and no taller than 5’ 8”, Mark Davis looked wildly out of place among the inmate population at Jefferson Penitentiary. His dossier told another story. Part of a team of hackers accused of perpetrating some of the most prolific breaches the world had ever seen, for years he was known simply as De1!ingr.
His luck ran out. Convicted of 10 counts of Computer Misuse, De1!ingr found himself confined to a 6×8’ jail cell, and deprived of any contact with a computer whatsoever. And yet, he seemed at ease.
The other guards and I watched as he mingled—no—held court, with other inmates. They listened intently as he spoke, as if everything he said were the gospel.
“He’s getting along nicely,” the other guards would say sarcastically.
We were dumfounded. That is, until Sunday evening.
In the early hours of Monday morning I was awakened by the sound of a ringing telephone. It took the panicked voice on the other end several attempts to slow down and explain the situation: our resident hacker had escaped.
The security cameras told the story. Prisoners, normally relaxed, appeared to be more awake than normal. They stirred in their cells as if they knew what was to come. Something was on their schedules that wasn’t on ours.
Then, it happened. In an instant each of the cell doors slid open.
Then the doors to the cell block slid open… and finally the doors leading out to the yard.
The guards on duty were stunned, and admittedly slow to react. By the time they had donned their riot gear, the prisoners were running through all corners of the prison. Chaos followed, as outnumbered guards in riot gear fought to subdue the prisoners.
It took several hours before the guards were able to regain control of the prison, and return the prisoners to their cells.
A head count revealed only one prisoner to be missing. In the confusion, De1!ingr had slipped away from the other prisoners, and fled through an open gate to an awaiting getaway car.
An investigation revealed that our systems had been hacked from the outside, undoubtedly by De1!ingr’s partners in crime. He was gone, and our no-escapes record shattered.
While the story above may seem improbable, research into the vulnerability of correctional facilities revealed that prison cells can indeed be opened by compromising Programing Logic Controllers (PLCs). PLCs are small computers at the heart of keyless correctional facilities. They can be programmed to control a wide variety of things in a correctional facility including security cameras, to temperature controls, and cell doors.
Organizations have only recently become aware of the vulnerability of PLC systems, in large part due to the Stuxnet breach. Stuxnet was one of the first attacks designed to target PLCs with the goal of compromising nuclear centrifuges, and it did so by signing malware with a private key, stolen from a certificate authority, to make it appear as trusted code. Over time this code worked its way to the PLC system, and wreaked havoc. Using a similar approach researchers have managed to compromise the systems of correctional facilities, and manipulate the cell doors.
Certificate Authorities, form the root of trust for the systems we depend on every day. When private keys and certificates are compromised the systems built on that trust fall apart. Preventing attacks of this type requires robust security for the private keys and certificates to ensure only legitimate code is signed. Hardware Security Modules (HSMs) are designed for this purpose, and are the best way to protect cryptographic keys and certificates.
For more information, visit our HSMs for Code Signing page.
The IoT Nightmares don’t end here!
Sharon GingaOctober 15, 2014, 10:30 am EDT
Between rising Internet traffic and trends such as big data, corporate networks are taxed. And with more data being transmitted over networks each day, this opens organizations up to ever-evolving threats and ever-devious cyber-criminals – which can result in huge losses.
A recent Spiceworks survey revealed that 29% of IT pros aren’t encrypting any data in motion, and 74% of those that are encrypting, don’t trust their solutions to be highly effective. This infographic presents the case for how to secure your data in motion effectively as your data needs grow.
SafeNet October 20, 2014, 02:47 pm UTC
Sharon Ginga October 15, 2014, 10:30 am UTC
SafeNet's Microsoft AD FS 3.0 Authentication Integration Brings Office 365 Single Sign On Capabilities
Mor Ahuvia May 15, 2014, 03:58 pm UTC
SafeNet June 4, 2014, 08:00 am UTC
Mor Ahuvia May 29, 2014, 02:11 pm UTC