Archive for May, 2017

IoT DevCon 2017: Security on the Internet Superhighway

Tuesday, May 16th, 2017

It’s getting worse. The vandals have struck various travelers on the internet superhighway, including FedEx, Nissan, Russian banks, and hospitals in the U.K., crippling ordinary operations. The most recent strike on the internet has come from the WannaCry/WannaCrypt ransomware that crippled hundreds of thousands of internet-connected computers, asking for an equivalent of $300 in bitcoin in order to unlock the user’s computer.

Hackers used unpatched Windows vulnerability to apply ransomware to PCs in over 100 countries this past weekend.

Hackers used unpatched Windows vulnerability to apply ransomware to PCs in over 100 countries this past weekend.

The WannaCry malware attacked many computers, mainly those running older operating systems like Windows XP that have been unsupported, without updates of any kind for as long as 3 years now. However, this one was so bad that Microsoft issued a patch in response to WannaCry for Windows XP, Vista, 8, and Server 2003 that plugs the hole that WannaCry exploits. A researcher at a computer security related company, viewing some of the malicious code, inadvertently found a kill switch which managed to slow it down somewhat, although it’s simple to re-jigger the malicious code to remove the kill switch. The malicious code included a long, improbable web domain name that was unregistered. After registering it for around $10, the domain began immediately registering thousands of connections per second as infected computers contacted the site, registered that it existed, and stopped further progress to ransoming the infected computer. The internet is like the dystopian world of Mad Max: it is up to each driver to equip himself with defenses and weapons to survive the drive. There is no central authority to police the internet and protect those who can only afford to drive jalopies (Win XP).

It’s no wonder that at IoTDevCon 2017 in Santa Clara last month the interest in security was so high. Jennifer Gilburg, Director of Strategy, IoT Security at Intel corporation gave a talk about IoT security. Afterwards, Gilburg was like the belle at the ball, surrounded three-deep by engineers wanting to talk about security for the internet of things. To innovate unfettered, technology needs solutions for internet security, and no one has the time or expertise required to rig up a DIY system. Intel has a habit of providing solutions so that innovators are cleared to innovate, not re-invent (and maintain) the wheel. Gilburg’s talk included a discussion about Intel’s IoT platform management system, an end-to-end reference model, including a family of products from Intel that works with third party solutions. Intel “provides an end-to-end platform for connecting the unconnected—allowing data from billions of devices, sensors, and databases to be securely gathered, exchanged, stored, and analyzed across multiple industries.”

People are hungry for protection, and yet they don’t have the time to rig up their own protection and others simply don’t have the money. Poor and rich alike travel our roads, and the internet is no different. Yet we have police for our cities and roads and nothing analogous for the internet. The internet has technology standards required for connection, but not protection.  Furthermore, the abstraction layer that is the internet has created a sense of anonymity so many feel they can act out with impunity. Since the majority of users do not understand what they cannot see, issues that portent harm go ignored by this same majority…until they finally see something like ransomware. Those of us who do see through the abstraction layer realize just what the internet is capable of hosting, as criminals prey upon unsuspecting users and the digital wealth of others. This recent and massive ransomware attack affected over 100 countries, which apparently started with a dump of code created by, and stolen from, the NSA in the United States. The majority of victims were those who failed to purchase updated systems or were using pirated copies of Win XP. In the past, convicted cyber-criminals have been given minor sentences as white-collar criminals.

The upshot is that if you have an older, unsupported computer online, you should update the operating system or remove its  connection to the internet. Make sure your computer and all internet-connected devices are updated regularly, since protective patches are deployed as updates when vulnerabilities are discovered. Change your email to receive text-only type email, and make regular backups using Google drive or some other free cloud. You can also change your operating system to Linux. If Linux had the world monopoly on operating systems rather than Microsoft, potential exploits might be seen early on with an open source OS that is free to use and update and no backdoors would be possible because the code is entirely visible to anyone. But my biggest wish is that people would stop creating viruses, worms and general malware for fun and profit. It’s clear, however, that the human race is not evolving as rapidly as the technology it has created.