How can privacy survive in the era of the internet of things?

As more and more devices are connected, there are two futures when it comes to privacy. Which one will we pick?

Amazon’s new Dash button, which will order replacement products at the touch of a button, might well usher us further towards the internet of things (IoT), in which a variety of connected devices talk to each other, quietly doing our bidding.

The next step: household appliances that re-order consumables automatically, without the need for a button at all. But what does this universe of connected devices mean for our privacy?

Companies have been talking about the IoT for years. There are many possible visions of it. Some think it’s about your smartwatch talking to your car, while your fridge independently talks to the grocery store to order you some more milk.

Others have a more pervasive vision of hundreds, perhaps even thousands, of embedded, invisible devices that you touch in some way throughout your day.

These could include everything from an embedded sensor in a petrol pump that knows whether you are filling your car with regular or premium, through to sensors in your office building that know where you are and display your files on the nearest screen, through to toothbrushes that know how long and vigorously you’re brushing for.

Whichever way you cut it, the IoT is going to be big. In December 2013, Gartner predicted 26 billion devices installed by 2020. That’s not quite on par with Cisco’s 50 billion, but it’s not inconsiderable, given the relative shipments of more traditional devices.

The PC age began in 1981, and while they were predicted to have reached an installed base of 2bn last year, their growth was hindered by tablets and 2-in-1s, which only began shipping in 2010 and of which 230m currently ship each year. The GSMA, which charts the growth of smartphones after Apple shipped the iPhone in 2007, says that by the end of this year there will be 2.2bn of them installed worldwide.

Clearly, as devices become smaller, they tend to ship more quickly. All of these represent just a fraction of the projected IoT device count within four years. It seems pretty clear that an awful lot of them will be sensors.

What will they be sensing? The obvious scenario is health and fitness, thanks to the increasing number of wearable fitness devices on the market. But we are likely to see sensors for everything from public transport passenger counts through to energy meters, medical devices, environmental sensors, home security, parking meters, and vending machines.

A Big Brother made of little things

Whenever someone introduces a pervasive new technology, someone else gets worried about it. With many already worried about surveillance issues, it’s no wonder that nightmare privacy scenarios surrounding the IoT have been popping up.

“The scariest thing is that we don’t know what the scariest thing is,” said Geoff Webb, senior director of solution strategy at identity and access management firm NetIQ.

The problem with the IoT is that no one quite knows what it’s going to look like. It’s a continuum that things like Amazon’s Dash, connected cars and smart meters usher us along, rather than a state that we suddenly enter. No one really understood how the internet was going to affect things, and the impact of the IoT will probably be more pervasive, rolling out over time, but affecting us more immediately and in more profound ways.

One thing we can predict is that an internet of sensors and other devices could generate a vast ocean of information about our activities.

“People can pull that information together in ways that are very difficult to predict,” said NetIQ’s Webb.

Some rental car firms now include sensors in the vehicles that warn drivers if they are driving too recklessly, based on how quickly and volatile its movements are. Some services are using phone services to do the same. He worries that people might be denied car insurance, for example, based on sensors like these delivering data to interested parties.

“The capacity to correlate information is going to change all of those interactions,” worries Webb. “I lose power over a great deal of my life when there’s a massive amount of information over me that I don’t have control over.”

What about other breaches, though, that may be more difficult to avoid, or are simply invisible? Could your utility’s smart meter – or your Google Nest device – know when you arrive and leave at your home based on energy usage patterns? When your smart bathroom scale beams data to a cloud-based health service, could that data be used by a health insurance provider?

Scary scenarios

Some of these things may seem implausible, but there are already worrying signs. Smart TVs have been found to collect a little too much data about your viewing habits and files, or simply beam eavesdropped conversations back to a manufacturer. And US legislators have attempted – but so far failed to enact – the mandatory installation of ‘black box’ recorders in new vehicles.

The scary scenarios are legion, and they’re serious enough that government regulators are getting interested. In January, the FTC produced a report on the IoT, highlighting some of the risks, and suggesting some ways to mitigate them.

Cora Han, an attorney in the privacy and identity protection division at the FTC, said that companies involved with the IoT should consider “data minimisation” a priority.

“Your device may well need to collect information, and that’s fine, but you should be up front about it, and think about if you need to collect all that information, and how you store it, and whether it makes sense to dispose of it when you no longer need it,” she said.

The data she’s talking about has a monetary value, though, which makes it important to those companies. In many cases, their job is to deliver shareholder value, which means making money where they can.

“Many of the reasons that these products are very inexpensive is because part of the business model is the ability to collect and resell your data,” said Chris Rouland, founder and CEO of Bastille, a company that scans for IoT devices and mitigates their security threats. Your sensor-packed wearable device isn’t really the product, he says – you are.

Politicians “irrelevant”

With that in mind, shouldn’t regulators step in and tighten legislation? The FTC advised against IoT-specific legislation, but called for baseline privacy legislation in the US. In the UK and Canada, such legislation already exists.

Forget the law, said Rob van Kranenberg. “Policies are no longer hacking it. Politicians are fully irrelevant,” said the founder of the IoT Council, a loosely-connected group of professionals that consults on the subject. “What are you going to do with innovative startups that disrupt this? Put them in jail? Fine them?”

“If we want to steer these developments we have to build a system together in which to harness the new ‘oil’: the data of our citizens,” he said.

What does that look like? We need more sophisticated conversations about privacy with the companies harvesting our data from these devices, say commentators. The trouble is, few people seem to have figured out what those interfaces might look like yet. With such a vast amount of data being shared about individuals, trying to set those parameters individually will be tough.

James Schmidt, EMEA director of partner product management Intel Security, says it could be transactional, with people agreeing to give up some data to get rewards, say. “We’re already there. It’s just going to be an evolution,” he said, giving fitness wearables as an example. “If you go to a portal to check out how many kilometers you ran, it could say ‘you hit this specific milestone, would you like to get points with this particular vendor’.”

Rouland sees privacy in the IoT as equivalent to the ‘organic’ label on food; something that users may pay a premium for, to get peace of mind.

“I see an opportunity to pay a premium for retaining my own data, or at least guaranteeing that my data is de-attributed from me,” he said, adding that he’d happily pay his fitness wearable provider another $1.99 (£1.33) a month not to sell his data somewhere else.

Giving power back to individuals

Paying the vendor not to breach your privacy feels more like a protection racket. Others want to put privacy square back in the hands of the individual, by giving them the power to dictate who can access their data.

Usman Haque is the founder of Thingful, which he calls a search engine for the IoT. It documents IoT devices around the world, categorising them by function, so that you search for, say, air quality in Manhattan. Haque says that people should be able to set policies governing which devices can talk to the devices that they own, and what information is shared about them.

“I can make data available in real-time to my doctor, but I might delegate access to monthly figures to my mother,” he explains. “And I might be happy to participate in a medical study where I give the years’ aggregate data. So privacy has to be granular.”

Haque and Kranenberg are working on a “device entitlement layer”, in the form of the Dowse Box. This is a device that plugs into your home network, and allows you to define what connects with it, and how. So, if your new smart meter decides to connect to your utility and tell it things about you, the box would let you know, and give you the chance to do something about it. The team is planning a smart meter device with Dowse integrated in it.

Kranenberg sees more utility in such a box than mere data defence, however. “We could build an internet of neighbourhoods platform on these Dowse boxes, where people start sharing music. We could also create a platform for sharing cars, tools, and food – all the things in these transition town kind of things that are happening,” he said.

A market for personal data

Kranenberg envisages a system in which people could auction their data on an IoT version of eBay, selling it to commercial entities if they wish. But he also says they may give access to others who enhance it for them in some way, perhaps even paying those organisations a fee, creating an entire new market for data in which its owners are equal participants and beneficiaries.

What kinds of enhancements might those be? Haque dismisses what he calls the “1950s” vision of the IoT, where your fridge orders you milk and chats to your smart watch. Instead, he envisages an IoT with connected asthma inhalers, which log where they are used and contribute this data to a network of other inhalers. An inhaler could then warn its user when they enter a risky area where lots of people have needed to use theirs.

So, as often happens in science fiction, we are faced with two possible futures, one dystopian, and one utopian. More realistically, we might get one in which we manage to survive and prosper, in spite of the privacy challenges. So, yes, an Amazon Dash-style IoT predicated on consumption and inaction, but also hopefully a more imaginative one, in which creation and co-operation also have agency.

“We are at the beginning of this, and there is an opportunity to set the agenda,” said Haque.

The worrying part is that we don’t seem to be setting the agenda very well right now, with our centralized servers, PCs and smart phones. In fact, with security and privacy breaches popping up weekly, and with systematic government snooping, you might argue that we have done a terrible job.

Are we equipped to learn from our mistakes and take control of our own data in a world that promises to be saturated with sensors? Perhaps the first step is to be aware of the IoT, and what it can do.

New IPhone Case Charges Your Phone Battery Without Being Plugged In

Nikola Labs has launched an iPhone case that transforms radio frequencies into DC electrical current and thus, can charge devices. The first device running on this mechanism is a case for iPhone 6. It doesn’t require extra battery though and works passively.

What if your smartphone case was able to harvest electricity right out of the air around the handset and prolong its battery life? Yes, it’s happening now!

The technology for transmitting electric current over wires was pioneered by Nikola tesla and later Heinrich Hertz showed that it can also be transmitted wirelessly. However, we still utilize the 19th century technology for providing electrical current to 21st century devices. Now, Nikola Labs has endeavoured to change the way our daily usage devices are powered.

Image source: Nikola.com

Nickola Labs, which was selected as the wild card choice by TechCrunch editorial team and the audience from Startup Alley, has launched a device that transforms radio frequencies into DC power. This device, therefore, can easily power devices.

Today, Nikola Labs launched their first such product- an iPhone6 case. This case utilizes the same technology and converts the otherwise wasted 90% of energy that the phone produces to extract a cellphone signal and pushes it back into the phone. This way it powers up the phone for up to 30% longer. The case works passively and doesn’t need extra batteries because basically it harvests back the already produced ambient RF energy of the phone.

Image source: Nikola.com

Nikola Labs aims to launch this case into the market within a year in collaboration with Ohio State University, since the technology originally was developed and licensed at this university.

This technology can also be used in numerous other devices such as in wearable gadgets, embedded sensors, Internet of Things devices and medical devices. It is compatible with just about any device that doesn’t need high amount of electricity.

The case will be launched on Kickstarter within a month at the price tag of $99. Nikola Labs aims to ship it inside in the upcoming four months.

The product has been launched by Nikola Labs in that very building where Nikola Tesla lived and eventually died.

Anonymous Steals 1 Terabyte Passwords From Expo 2015 In Italy

Anonymous Italian attackers continue to haunt the Expo 2015 Universal Exposition being hosted in Milan as it faces an array of attacks under the Operation Italy(#OpItaly).

There is a whole team force of hackers aimed at targeting systems of the organization and its affiliated companies and their latest prey is the online ticketing sale management company “Best Union”.

The Anonymous Italy began on April 30, the day before the opening ceremony with a series of DDoS that hit the official website for the sale of tickets (tickets.expo2015.org). The cyber-attacks continued erratically for about two days.

The “hacktivists” are targeting the Expo 2015 to protest against the alleged corruption that has taken over the event as one of their twitter message also suggested. On May 1st, during a street mass protest against the EXPO 2015, Anonymous attacked the website myexpo.expo2015.it. Yet again.

A TWEET FROM ANONYMOUS ITALY WITH A SCREENSHOT OF BEST UNION’S DATABASE: 

While the organization of Expo 2015 combated the attack aftereffects, Anonymous persistently carried on its operation, anonymous Italy published a new statement regarding their cyber-attacks against the organization calling the EXPO management “petty liars and incompetent” as according to them the site of the online ticketing service was out on the night of April 30, they challenged them with dire consequences, according to a report.

The hackers apparently of the Italian Wing of the collective, successfully attacked and impaired the website of the padiglioneitaliaexpo2015.

In their latest series of attacks against the service provided by the Best Union, they permitted the member of Anonymous Italy to steal data from the database of the server used by the company, the database dump estimated to have “1 Terabyte of stolen leaks” belonging to online ticket buyers, this seems to be a case of leaked passwords.

It is essential that precautionary measures must be taken to save people from further such cyber-attacks. Although, Anonymous doesn’t aim to harm innocent people it is a possibility that the data can be abused as some criminal group may start a phishing campaign by manipulating the Anonymous Italy attack and con users by putting them in jeopardy, as for now Anonymous is going strong with their offenses against Expo 2015.

UPDATE: 

Italian police arrested four suspected Anonymous hackers Friday, accusing them of conducting cyber attacks on Italian government and servers at Expo 2015. It seems the arrested hackers are the same guys who were behind stealing 1 TB data from Best Union.

Stay Tuned..

See If Your System Was Used In Your Absence

Want to see if your computer was used while you were not on the table? Have you found an important file deleted, in the time when you were away from your pc and want to find who was there at your PC or due to any other reason? If yes then follow the steps below:

1. Go to start and click on run in the bar type: eventvwr.msc

2. After pressing enter, you will see a new window as shown below:

3. Now here click on windows log, here click on system.

4. After this you can double click on any date and check out the event that have gone by.

Give this trick a try and bust those who have been using your computer secretly or without your permission ;) 

Simple Tips To Manage Social Engineering Attacks

The web is an interconnected maze consisting of people, organization and computers. The easiest way to hack into such a system is to find the weakest link between them. Usually, the human link is always the weakest and therefore the easiest route to hack into any organization computer network.

Consequently, modern day hackers have shifted from hacking the organization’s systems as their primary target, to hacking the Human Operating System. Hacking an individual requires a different set of tools and a change of tactic from brute force to relying on social engineering tactics to manipulate the different human instincts to the hacker’s advantage.

WHAT IS SOCIAL ENGINEERING?

Social engineering is use of soft non-technical skills to gain unauthorized access to private computer networks. Social engineers rely on human interactions to lure people into giving out crucial confidential information that would compromise their Internetsecurity. Hackers use social engineering for varied reasons but the end game is always to defraud you financially by manipulating your human instinct to trust rather than using brute force to break into your system.

Social engineering is not a new concept but rather old-age con games applied in a web perspective. The information sought by Social engineers may vary from passwords, bank information, System configuration details and so on. But regardless of the information sought, the objective is always to take control of your system and make a certain gain at the end.

Social engineering takes different form and shapes. It could be as simple as someone calling you pretending to be your bank customer care agent and requesting your banking details. It could also be someone posing as a new employee who need log in assistance or your colleague stealing your login credentials through shoulder surfing.

Regardless of the form and shape, the success of any social engineering attack largely depend on human weakness in critically analyzing every situation. In reality, internet security is all about knowing when and who to trust with your confidential information at any given time. Alertness and avoiding to take every situation at face value will take you a long way in preventing social Engineering Attacks.

WHICH ARE THE MOST COMMON SOCIAL ENGINEERING ATTACKS?

Social engineering attacks are propagated in different forms and through various attack vectors. It is a rapidly evolving art that keeps on being perfected every now and then. However, some of the most common social engineering pitfalls include the following.

• Bogus Email from a Friend; It is a common social engineering tactic used to extract information from a large network of people. In this case criminals only infiltrate one email account and use the contact list to send spyware ridden email to other on address book. Again, one is easily fooled to trust an email attachment or a link sent supposedly by a known friend.

In most cases, the attacker using a hacked account sends you an email address claiming that your ‘friend’ is stuck in a foreign country after being mugged. They request money for a return ticket and promise to refund the money once they are back. Usually, the email has instruction on how to send the money to your ‘stranded friend’ abroad.

• Phishing Attacks. It’s an old age cyber threat that applies social engineering tactics to harvest confidential details from victims. Most phishing attacks are propagate through bogus emails allegedly form trusted service providers such as banks, Schools, Software companies or government security agencies. E.g. FBI

Normally, online fraudster sends email posing as one of your trusted service provider. They request you to urgently update your account details or upgrade your current software through given links. Most phishing emails require you to do something urgently or risk some consequences. Clicking on the embedded links directs you to spoofed websites designed to steal your login credentials.

Another common trick used by phishing masters is to send you an email claiming that you’ve won a lottery or certain promotion goodies. You are required to give your banking details in order receive your lotter winning. In other cases the scammer pose as the FBI saying they have recovered your ‘stolen money’ and therefore requesting to send you bank details to get your money back.

• Baiting Schemes. In these types of social engineering schemes, the attacker takes advantage of a highly demanded product such a new movie or music video to harvest private information from unsuspecting people. It is very common in peer-top-peering sharing network such Bit torrent.

Another popular tactic is to undervalue hot product by giving one day 85% discount. Such schemes may appear in legitimate auction sites such as eBay which makes it easy for people to fall for the bait. Usually, the product on offer is non-existent and vendor could be using a hacked eBay account to obtain your banking details.

• Unsolicited Tech Support– In some instances, criminals pose as tech support teams from popular companies such as Microsoft, purporting to respond to ‘your request’ to resolve a tech problem. Although you never requested for help, you could be tempted to take advantage of a free service because you could be having a tech problem with your Microsoft product in the first place.

Responding to the emails initiates an interaction with the criminal who may further request for more specific details about your system in order to help you out. In some cases the criminals may request you to log on to “their company systems” or simply request for root access to your system. Sometimes they may give you bogus command to run on your system. Such commands are only intended to give the attacker greater access to your computer system.

HOW TO AVOID SOCIAL ENGINEERING ATTACKS

• Be wary of emails, instant messages and phone calls for unsolicited people such as service providers. Verify the source of message before giving out any information.
• Go slow and pay keen attention to fine details in emails and messages. Never let the urgency in attacker’s message cloud your judgment.
• Educate yourself. Information is the most powerful tool in preventing social engineering attacks. Research facts on how to identify, and ward off online criminals.
• Never click on embedded links in emails from unknown senders. If necessary use the search engine to search for suggested website or manually enter the website URL.
• Never download email attachment from unknown senders. If necessary open the attachment in protected view which is enabled by default in many operating systems.
• Reject requests for online tech support from strangers no matter how legitimate they may appear.
• Secure your computer space with a strong firewall, up to date antivirus software and set your spam filters too high.
• Patch up software and operating systems for Zero day vulnerabilities. Follow up on patch releases form your software providers and patch-up as soon as humanly possible.
• Pay attention to website URL. Sometimes online fraudsters make slight changes to URLs in order to direct traffic to their own spoofed sites.
• Avoid being greedy on the web. If you never participated in a lottery, it goes without saying that you can never be the winner. If you never lost money, why would you accept a refund from the FBI?

WHAT NEXT FOR SOCIAL ENGINEERING VICTIMS

Due to the soft nature of social engineering attacks, most victims don’t know they’ve been hacked and it may take months to identify a security breach. However, in case you suspect that you’ve been a victim of social engineering, the first thing is to do a password workaround.

Create new strong password for all your accounts. Ensure that your new password cannot be linked to you or your family because the attackers probably know way too much about you and your family. Secondly, contact your bank, and carefully review your financial statements. Lastly, consider reporting the incident to law enforcement agencies to avoid liability in cases of identity theft and impersonation in criminal activities.

In conclusion, Social engineering attacks are old age con game that get better and smarter with time. Hacker will continually use them so long they continue to yield handsome returns year in year out. Preventing Social engineering attacks require knowing when and who to trust on the web. Critically analyze each and every situation before giving out any incriminating information. More importantly, avoid being greedy on the web. Always think twice when the deal is too good!

Researcher Publishes 10 Million Passwords, Usernames Amid FBI Raid

A security researcher has revealed from a research of various data breaches, a collection of 10 million usernames and passwords.

The leaked database dumps that had the 10 million usernames and passwords were already available to the public online. But a popular security consultant, Mark Burnett – the person involved in the collecting and researching leaked passwords over the internet – made his resolution of publishing the passwords dump as a risky thing, however, something that can come in handy to the security researchers.

WHY IS THE RESEARCHER WILLING TO SHARE PASSWORDS?

It has been said by the password researcher that these passwords would provide a sample for other researchers to analyze and understand better the user behavior and will motivate password security.

The researcher was requested time to time from various students and other security researches for giving a copy of the password research data so that they can do their independent research.

WHAT PANICS HIM OF SHARING HIS RESEARCH?

There was an incident where the former Anonymous activist and journalist Barrett Brown was sentenced to a five-year arrest as he shared the hyperlink with an IRC (Internet Relay Chat) channel where other members were distributing hacked information. It is this fear of being sentenced that Mark Burnett is refraining from sharing his research with anyone.

Ironically, Burnett is willing to share the information universally so that the world can understand the way people choose pass phrases.

Burnett also wrote in his blog post on Monday that it is simply ridiculous that he has to write a whole justification for the release of the data if he does not want legal action taken against him. He says that if it wasn’t for this report, he would have written an article on the data release but now he has to spend the time on this lame thing just to convince the FBI not to arrest him.

FROM WHERE DID THE CREDENTIALS COME?

Burnett has collected the information that was already present on the internet. He has gathered data breaches at major companies such as Adobe Data Breach and Stratfor hack. 

Many of the passwords that were found, the researcher said, were already “dead” which means that most of them were already changed and Burnett scrubbed other data like domain names so as to render the information useless for cyber criminals and other hackers. The passwords, however, still present on the list should be changed instantly.

A SHORT INTERVIEW WITH MARK BURNETT

Few questions were posed to Mark about sharing the usernames/passwords with the world and the answers were as follows:

Q: Is there any threat to online users associated with sharing the passwords with the public?

A: The passwords are already out there on the internet and so the hackers who want to hack the passwords on this list, are not a threat at all.

Q: Have you been approached by any Law enforcement agencies?

A: No

Q: Does the data include any passwords or usernames from Adobe and LinkdedIn breaches?

A: My research includes those breaches that have both the username and the password and so this excludes LinkedIn and other sites as well. As far as Adobe is concerned, the passwords that were not available on the internet unencrypted have not been included as this rules out adobe as well. Otherwise, the report has a bit of everything.

Q: Give a reason as to why should the passwords be shared publicly?

A: The data is collected for the purpose of providing clean and consistent set information for those who want to find study it and hence gain knowledge. Although, I have been asked many times to share my research, I have been hesitant to do so. Despite not being completely accurate, the data can be used to improve security.

‘WHY THE FBI SHOULDN’T ARREST ME’

Usually researches are accustomed to releasing passwords alone; however, Burnett said that he has released both the passwords and usernames together. This is an area which has been less looked at but something that can offer greater insight than simply studying passwords.

There has been a common fear among researchers to release both passwords and usernames together. This is because when released in combination, they become an authentication feature and if they are linked to an already registered authentication feature in a private IRC cannel, it can be deemed as trafficking and in this case the FBI can surely take it as a crime.

The 10 million passwords revealed by the researcher can actually show how frequently do users put their usernames either partly or in full while creating a password. Still, 10 million is a huge amount but Burnett fended this off by saying that the leaked information was already on the internet.

We at HackRead are currently analyzing the data and will update you once done.