The Key IoT Security Questions You Need To Ask

Microsoft IoT Security

An Internet of Things (IoT) solution offers a multitude of business benefits from decreased operational costs to new revenue streams. But it also comes with a host of security considerations, including an ever-changing array of regulatory compliance requirements, demanding expert navigation and acute attention to detail.

Below I’ve listed some of the critical questions to ask when deploying a secure IoT solution. To learn more about IoT security, be sure to register for the IoT in Action event in San Francisco on February 13.

How secure are your things?

For starters, the actual devices must be secure. In the next few years, a new wave of innovation will drive down costs and inundate the market with internet-connected devices in every price range, from electronic toys to manufacturing sensors. In anticipation of this, my Microsoft colleagues have identified The seven properties of highly secure devices. I have listed out each of these properties below, along with the fundamental questions you must ask:

  1. The hardware-based root of trust: Does each device have a unique identity that is inseparable from the hardware?
  2. Small trusted computing base: Is most of the device’s software outside its trusted computing base?
  3. Defense in depth: Does your device software have multiple layers of protection built-in?
  4. Compartmentalization: Are you using hardware-enforced barriers to stop failures from propagating to other components?
  5. Certificates-based authentication: Do your devices use certificates (vs. passwords)?
  6. Renewable security: Can the device’s software be updated automatically to a more secure state?
  7. Failure reporting: Do you have a solution in place to report software failures to the manufacturer?

How secure are your connections? 

More to the point, when you’ve got a bunch of devices talking to each other over the internet, how will you safeguard data confidentiality and integrity? When choosing an IoT monitoring and connection solution, make sure that it is using industry-proven data encryption. Solutions like the Azure IoT Suite secure the internet connection between the IoT device and IoT hub using the Transport Layer Security (TLS) standard.

Another question to ask is how you will prevent unsolicited inbound connections from wreaking havoc on your devices? Make sure that only devices are allowed to initiate connections and not the IoT hub. And speaking of the IoT hub: make sure that the one you’re using has the capability of maintaining a per-device queue – meaning that it can store messages for devices and wait for the devices to connect. For more on this topic, be sure to read IoT security from the ground up.

How secure is your cloud solution?

Is your cloud provider following rigorous security best practices? When choosing a cloud provider, make sure you pay careful attention to how they are handling the following areas.

  1. Network traffic segregation: Is IoT traffic segregated from other network traffic using an IoT gateway or other means?
  2. Monitoring: How is network traffic being monitored? How will you know if any credentials are compromised or if unmanaged devices are accessing your cloud services?
  3. Security controls: How well do you know your cloud provider’s SLA (service-level agreement)? Which security controls are being maintained by your provider and which will you need to address internally?
  4. Encryption and security key management: Does your IoT solution allow you to define access control policies for each security key? Is data in the cloud encrypted?

Have you registered for IoT in Action in San Francisco, CA on February 13, 2018?

These questions only scratch the broad surface of IoT security. To learn more about securing your IoT solution, register for this free, one-day event. You’ll hear from the researchers behind The seven properties of highly secured devices and see an IoT solution come to life before your eyes. You’ll also get insights into how Microsoft addresses IoT security through its Azure solutions. Plus, connect with partners who can help you bring your IoT solution from concept to reality. View the full agenda.

The post The Key IoT Security Questions You Need To Ask appeared first on ReadWrite.

Read the Full Article here: >ReadWriteWeb

ATM ‘jackpotting’ hacks reach the US

For some ATM thieves, swiping card data involves too much patience — they’d rather just take the money and run. The US Secret Service has warned ATM makers Diebold Nixdorf and NCR that "jackpotting" hacks, where crooks force machine to cough up large sums of cash, have reached the US after years of creating problems in Asia, Europe and Mexico. The attacks have focused largely on Diebold’s front-loading Opteva ATMs in stand-alone locations, such as retail stores and drive-thrus, and have relied on an combination of malware and hardware to pull off heists.

In previous attacks, the thieves disguised themselves as technicians to avoid drawing attention. After that, they hooked up a laptop with a mirror image of the ATM’s operating system and malware (Diebold also mentioned replacing the hard drive outright). Security researcher Brian Krebs understands American ATMs have been hit with Ploutus.D, a variant of "jackpotting" malware that first launched in 2013. The mirror image needs to be paired with the ATM to work, but that’s not as difficult as you might think — the intruders used endoscopes to find and press the necessary reset button inside the machine. Once done, they attached keyboards and used activation codes to clean out ATMs within a matter of minutes.

NCR hasn’t been explicitly targeted in these attacks, but it warned that this was an "industry-wide issue" and urged caution from companies using its ATMs.

It’s definitely possible to thwart attacks like this. The Secret Service warned that ATMs still using Windows XP were particularly easy targets, and that updating to Windows 7 (let alone Windows 10) would protect against these specific attacks. Diebold also recommended updating to newer firmware and using the most secure configurations possible. And both organizations recommended physical security changes, such as using rear-loading ATMs, locking down physical access and closely watching for suspicious activity like opening the machine’s top.

The catch, of course, is that ATM operators either haven’t been diligent or may have a hard time justifying the updates. It’s telling that victim machines have been running XP, a 16-year-old platform whose official support ended in 2014 — the odds aren’t high that companies will keep their ATMs up to date, let alone replace them with more secure models or institute advanced defenses. You may not see a widespread attempt to combat jackpotting in the US until the problem becomes too large to ignore.

Via: Reuters

Source: Krebs on Security

Read the Full Article here: >Engadget

Google X Is Launching a Cybersecurity Company Called Chronicle

Google’s parent company Alphabet today announced the launch of Chronicle, a new cybersecurity company that aims to give companies a better chance at detecting and fighting off hackers. "Chronicle is graduating out of Alphabet’s X moonshot group and is now a standalone company under the Alphabet umbrella, just like Google," TechCrunch reports. From the report: Stephen Gillett, who joined X from Google Ventures and was previously the COO of Symantec, will be the new company’s CEO. To get started, Chronicle will offer two services: a security intelligence and analytics platform for enterprises, and VirusTotal, the online malware and virus scanner that Google acquired in 2012. Gillett writes that the general idea behind Chronicle is to eliminate a company’s security blind spots and allow businesses to get a better picture of their security posture. "We want to 10x the speed and impact of security teams’ work by making it much easier, faster and more cost-effective for them to capture and analyze security signals that have previously been too difficult and expensive to find," writes Gillett. "We are building our intelligence and analytics platform to solve this problem." What exactly this new platform will look like remains to be seen, though. Gillett notes that it will run on Alphabet’s infrastructure and use machine learning and advanced search capabilities to help businesses analyze their security data. Chronicle also says that it will offer its services in the cloud so that they can "grow with an organization’s needs and don’t add yet another piece of security software to implement and manage."



Share on Google+

Read more of this story at Slashdot.

Read the Full Article here: >Slashdot: News for nerds, stuff that matters

Massive Health Care Data Breach in Norway

Cybercriminals have stolen a massive trove of Norway’s healthcare data in a recent data breach, which likely impacts more than half of the nation’s population.

An unknown hacker or group of hackers managed to breach the systems of Health South-East Regional Health Authority (RHF) and reportedly stolen personal info and health records of some 2.9 million Norwegians out of the country’s total 5.2 million inhabitants.

Health South-East RHA is a healthcare organisation that manages hospitals in Norway’s southeast region, including Østfold, Akershus, Oslo, Hedmark, Oppland, Buskerud, Vestfold, Telemark, Aust-Agder and Vest-Agder.

Read more at https://thehackernews.com/2018/01/healthcare-data-breach.html

Mahesh Balan

Director
Mob:+91 94440 19237

Want To Try Hacking Computers Legally? Here’s How

Have you ever fancied yourself as a computer hacker or penetration tester? Have you ever read about hacking and wondered just how easy or hard it would actually be to achieve?

Of course, hacking someone else’s computer without their permission is illegal pretty much everywhere. And setting up a network of computers yourself, purely to hack them, is time-consuming. But thankfully there’s another way.

Hack The Box is a network of computers which has been set up for you to hack. It’s all legal, and the idea is to allow people to test their technical skills and techniques. It’s also free to use, and good fun. But be aware that it’s aimed at people with a good deal of technical knowledge (or those who think they have it!).  Read More

Read the Full Article here: >Gizmos Freeware Reviews

Someone Published a List of Telnet Credentials For Thousands of IoT Devices

An anonymous reader writes: A list of thousands of fully working Telnet credentials has been sitting online on Pastebin since June 11, credentials that can be used by botnet herders to increase the size of their DDoS cannons. The list includes an IP address, device username, and a password, and is mainly made up of default device credentials in the form of "admin:admin", "root:root", and other formats. There are 33,138 entries on the list, which recently became viral on Twitter after several high-profile security experts retweeted a link to it. During the past week, a security researcher has been working to find affected devices and notify owners or their ISPs. Following his work, only 2,174 devices still allow an attacker to log on via its Telnet port, and 1,775 of the published credentials still work. "There are devices on the list of which I never heard of," the researcher said, "and that makes the identification process much slower."



Share on Google+

Read more of this story at Slashdot.

Read the Full Article here: >Slashdot: News for nerds, stuff that matters

Thousands of ATMs Go Down in Indonesia After Satellite Problems

Thousands of ATMs and electronic card payment machines in Indonesia went offline over the weekend, and it might take two more weeks before full service is restored, after an outage from a satellite belonging to state-controlled telecom giant PT Telekomunikasi Indonesia (Telkom). From a report: Around 15,000 ground sites across Indonesia were affected by the problem on the ‘Telkom-1’ satellite, whose service is used by government agencies, banks, broadcasters and other corporations, Telkom’s president director Alex Sinaga told reporters on Monday. A shift in the direction of the satelliteâ(TM)s antenna, which was first detected last Friday, had disrupted connectivity. Bank Central Asia (BCA), Indonesia’s largest bank by market value, had around 5,700 of its ATMs affected by the outage, or 30 percent of the total operated by the bank, BCA chief executive Jahja Setiaatmadja told reporters. The Internet connection in some remote BCA branches were also affected, he said.



Share on Google+

Read more of this story at Slashdot.

Read the Full Article here: >Slashdot: News for nerds, stuff that matters

Microsoft unveils ‘Minecraft’ edition Xbox One S

How devoted are you to Minecraft? Devoted enough that you want your console to be a living, breathing representation of the construction game? If so, you’re in luck. Microsoft has unveiled a limited edition Minecraft Xbox One S that drapes the entire console in Mojang’s blocky art style. There’s a grass block on the front, a transparent, redstone-laced bottom and a Creeper-themed green controller (there’s an optional pink, pig-themed gamepad). Naturally, it’ll include a copy of Minecraft (with the Better Together update).

The system arrives on October 3rd. Microsoft hasn’t detailed pricing or regional availability as we write this, but it’ll ship with a 1TB hard drive. We wouldn’t expect it to carry a significant premium over a plain Xbox One S with a bundled game, but don’t be surprised if this becomes the system to get among Minecraft players… well, those who don’t want to play in 4K, at least.

Source: Xbox Wire

Read the Full Article here: >Engadget