All posts by F Khan

About F Khan

Tech-junkie, with a special affection for security issues as they relate to telecom and enterprise, mobile, standards, social media, and gadgets.

Mac OS Is A Target

If you own an Apple product and  have not seen or heard about the recent increase of nasty malware targeting Mac OS then now is your chance to get up to speed. I know that many of you out there using this Mac OS do so due to ease of use and seamless integration into your tech toys like iPhones and iPads.  The belief that Windows users were the only ones with a malware problem is a myth. You need to wake up to fact that your laptop, iPhone or iPad is being targeted; the malware is getting really sophisticated and all platforms are susceptible to attack!

Here are some examples of the recent malware you should know about:

Proton – The malware includes root-access privileges and features that allow an attacker to obtain full control of the victim’s computer. Its capabilities include: running real-time console commands and file-manager, key logging, SSH/VNC connectivity, screenshots, webcam operation and the ability to present a custom native window requesting information such as a credit-card, driver’s license and more. The malware also boasts the capability of iCloud access, even when two-factor authentication is enabled.

Xagent – This malware contains payload that can make a compromised system running Mac OS X provide passwords, take screen captures and wipe iPhone backups stored on the Mac OS system.

As you can see being a Mac user  does not guarantee security and this scenario is only going to get worse. For your own sake please always keep that in mind. That said, here is what you can do to protect yourself:

  1. Use Time Machine to make backs up regularly and ensure they are encrypted. I prefer not to use iCloud due to the fact I am not really sure who Apple shares this data with. While they say things publicly the other side of the fence might offer a differing view.
  2. Ensure all iPhone backups are also encrypted.
  3. Use a tool such as Little Snitch to determine when unknown connections are leaving your Mac. Getting to know what your computer is doing and what it should be doing is key to early detection of compromise.
  4. Determine if a downloaded application might not be what you think it is using Suspicious Package.
  5. Get alerted if your being watched with OverSight.
  6. For your base install you already have the following:
    1. Using a passphrase for a password that 20+ characters long
    2. Using FileVault
    3. Using DuckDuckGo for your searching and research
    4. Use a VPN if you have to use a public or untrusted WiFi provider
    5. Track the security news for new developments in Mac OS malware

The main goal here is to not be an easy target and to create as many layers of defense as possible to protect yourself. As in life, prevention is always better than the cure!

Facebooktwittergoogle_plusredditpinterestlinkedin

Maker Faire Ottawa

 

img_4118

This past weekend we participated in Maker Faire Ottawa which is an all-ages gathering of tech enthusiasts, crafters, educators, tinkerers, hobbyists, engineers, science clubs, authors, artists, students, and commercial exhibitors. The location for this second Faire was the Aberdeen Pavilion in Ottawa’s historic fairgrounds and this year we got a booth to demo Hive Sense.  As you may know we are helping Algonquin College with bee research and wanted to provide the community with an update on the project. img_4122

It was great to see so many people with knowledge of the problem and we enjoyed the dialogue we were able to have with so many local professional and amateur bee keepers. We are currently working on building out a new service infrastructure and web site for our project and hope to have four to five hives monitored prior to the snow flying. Once these hives are monitored we will announce it on all our channels so you can track the progress and see the data.

Maker Faire is, according to the organizers, the Greatest Show (and Tell) on earth so it was not surprising to have had lots of cool projects again this year. While there were many 3D printing demos and projects it was nice to see groups and clubs engaging kids in robotics and coding as this is a great way to start playing with open source technology at an early age. There were programs even for big kids so there was no need to feel left out or to worry lol.

We had many attendees drop by our booth to learn about the concept of our project. Many were not technologists, engineers, or even web savvy individuals but they dropped in to see what the project was all about. It was also nice to hear from all the people who remembered their grandfather’s hives or when they lived on a farm. We keep forgetting that about 40 years ago a big part of our economy was agriculture driven especially in the Ottawa Valley.

We are looking forward to the 2017 event and being able to show what we have learned and how to get involved with the project in the future so… stay tuned.

If you have any questions in the mean time please do not hesitate to reach out to us for this or other IoT projects.

img_4112

Facebooktwittergoogle_plusredditpinterestlinkedin

RIoT Control – A Book Review

riot-control

Coming soon to a bookstore (or Kindle) near you is… a first of a kind book on how to approach security for the Internet of Things (IoT). This book is an assessment of how to control and manage Risk and the Internet of Things – RIoT Control. It is targeted at executives, engineers and architects either responsible for considering or implementing IoT solutions within their organizations. It is also a useful read for entrepreneurs, risk managers, security practitioners, businesses line managers and anyone not interested in the operational details of IoT security but wanting to understand the problem.

I was fortunate and honoured that Tyson Macaulay, the author, asked me to be a reviewer of this book. In the process I was able to learn even more about this increasingly important topic for cyber security practitioners. Tyson and I have been working together for several years on IoT security under ISO and have represented Canada internationally for over five years to create the baseline considerations (or controls) that should be considered for IoT implementations. Over this time I have realized how broad a topic IoT is, how challenging its issues are and how complex some of the solutions are for some sectors.

Implementing cyber security controls in some of sectors is not going to be easy to say the least. Companies are going to have to shift their mindset to building an adaptive and strong “culture” of cyber security in order to be able to succeed in IoT. One of the key barriers to adoption right now is security and privacy considerations. Product and service providers are going to have to prove to customers that their products are both designed and tested to a specific security level. The daily news of products or solutions that have been compromised is proof positive of the need to secure these solutions comprehensively. Even the NSA and FBI are hiring highly skilled hackers to be able to compromise networks and data of users of IoT solutions.

RIoT Control walks the reader through the process of IoT cyber security considerations and gives many useful examples to help the reader better understand the concepts. It provides the necessary background and details that designers and implementers need to consider for new IoT products and solutions. And yes, security and privacy need to be considered at the design and concept stage.

The list of the chapters contained in the book are:

Chapter 1 – Introduction to IoT

Chapter 2 – Anatomy of IoT

Chapter 3 – Requirements and Risk Management

Chapter 4 – Business and Organizational Requirements

Chapter 5 – Operational and Process Requirements Framework

Chapter 6 – Safety Requirements in the IoT

Chapter 7 – Confidentiality and Integrity

Chapter 8 – Availability and Reliability Requirements

Chapter 9 – Identity and Access Control Requirements

Chapter 10 – Usage Context and Environmental Requirements

Chapter 11-  Interoperability, Flexibility and Industrial Design Requirements

Chapter 12 – Threats and Impacts to the IoT

Chapter 13 – RIoT Control

I hope you enjoy reading this book as much as I did. In this book Tyson has done a great job of explaining the business and security concepts of IoT to executives, architects, engineers and anyone else responsible for IoT in a comprehensive way. In doing so he provides the necessary background for building a cyber security IoT practice and ensures that customers are provided a higher level of assurance to products and services they are selecting for IoT.

If  you want to buy this  book, for your convenience, here is the link to RIoT Control on Amazon.

 

Facebooktwittergoogle_plusredditpinterestlinkedin

Maker Faire Kathmandu

img_3973

I just returned from Kathmandu after a great weekend presenting our Hive Sense project. If you don’t know about Hive Sense it is a project we started under Random Hacks of Kindness (RHoK) Ottawa to help Algonquin College monitor some bee hives. The goal is better understand bee behaviour and find out why bees are dying while teaching students about where food comes from and our impact on our food chain. We are in the process of helping get relocated hives under monitoring and will provide a link to this data in the coming months.

Our hope is to help better educate people on the importance to bees and the fact that without them we would not have any fruits or vegetables. Bees are responsible for one out of every three bites of food we consume and are an agricultural commodity that’s been valued at $15 billion annually in the U.S. alone. They are a major unpaid workforce with a huge work ethic — bees from one hive can collect pollen from up to 100,000 flowering plants in a single day and pollinate many of them while doing so. They are a critical part of our food chain and they are dying but most people appear to be not alarmed by this — but they should be! If the bees are dying from pesticide exposure or other environmental factors what impact is it having on us and our children? Cancer, DNA mutations, who knows? We need to collect the data to better understand the problem.

img_3995

These are important questions that need to get answered but I am not a research scientist. I am technologist that can build solutions and so we are doing our part to help in both bee and agriculture research. Oh, did I mention this is an IoT solution.

As for the Maker Faire Kathmandu, it was great to see so many people out. While it rained buckets the first day and our booth got flooded – funny now but the thought of having my Mac book destroyed from a power surge was a bit overwhelming at the time. That said the interest in bees and bee life was awesome. It was also great to have my placard (see above photo) signed by so many people.

I hope to return some day to Nepal. The people are very friendly and love talking to you. I love all the temples around the city and was able to get a bird’s eye view of Mount Everest in all its towering majesty. (see below)

img_4026

Facebooktwittergoogle_plusredditpinterestlinkedin

For the Bees

IMG_3609This past weekend we (TwelveDot Labs that is) participated in our first Ottawa Random Hacks of Kindness (RHOK) after being a sponsor for the past three years.

Algonquin’s School of Hospitality and Tourism is on a mission to better help students to understand the “food to fork” concept and the impact the changing environment is having on the human food chain. And we were happy to partner with Algonquin College on a bee hive monitoring project .

We had to do a lot over the weekend and not a lot of time to do it in (about 14 hours) but we managed to get sensors logging into our database. All of this was done with a team of only eight! Without the hard work and efforts of Kirin, Kaelan, Bernard, Ying, Cid, Jared and Alf,  this project would not have come together in such a short period. We were, and remain, truly grateful to all of them for giving up their weekend for this project. We also had significant assistance from Dave of Algonquin College who is both a chef and understudy beekeeper. He  provided very useful details on how bees live and our impact on them in general and every time we open a hive.

That said, we know that there are many other hackathons that have similar projects and even commercial monitoring solutions for monitoring bee hives right now.  We also know that there are no solutions which are purpose-built for research and non-intrusive to the bee environment. The goal of our project was to develop a solution that included these two aspects in the overall design. Over the course of the weekend we:

  1. Used an Arduino (an open-source prototyping platform based on easy-to-use hardware and software) based platform to connect our sensors.
  2. Designed a base mobile User Experience (UX).
  3. Setup and configured a time-series database.
  4. Fine tuned our sensors for data collection via the code.
  5. Created a web site to document our project.
  6. Developed a design to incorporate sensors non-intrusively to a bee hive – we actually did this in the last hour of the event!bee-plate

Our goal going forward will be to continue this work with Algonquin as bees are important to our food chain. We are doing this for bees as much as we are doing it for ourselves.

In the coming months we will be proving all the initial design and data collected for bee research and hope to have our own data available as well. If you want to know more  about our work and progress, we invite you to go to our project website.

Lastly, do not hesitate to contact us to find out if we can help your field research project.

 

Facebooktwittergoogle_plusredditpinterestlinkedin

Ottawa IoT Meetup – June 28th

This month I have the honour of being the presenter at the YOW IoT Meetup and I hope to see you there. Please bring all your questions. I look forward to providing guidance and suggestions to your projects. Here is the outline for my discussion:

Security and Privacy for IoT: A Standards Based Approach

IoT has the promise to change our lives and provide interactions that were previously unheard of – with upwards of 20 billion devices connected. However, one of biggest barriers to adoption is security and privacy.

Daily reports of compromised networks and systems have become common place and many IoT services and solutions will be based on this same architectures and techniques – risky! The only way to change the IoT security landscape is to change our approach to design.

Our discussion will explore how to make security and privacy part of your daily ritual with the aim to significantly reduce the cyber exposure of your products and solutions. As we are quite active in the development of both IoT and security standards, we use a standards based approach to solving these problems.

International standards provide a global yardstick from which to base build and design solutions. In the age of IoT, even small companies are being forced to think globally.

We will look at:

  • ISO standardization of IoT
  • Security considerations for your organization
  • Security considerations at design and development
  • Testing and evaluation of IoT solutions
  • Privacy considerations and practices

We will record all the questions we get and post them for all to see. I am sure that you will agree with me  that it is important to share as I believe the same root issues and problems are being experienced by many product and solutions organizations.

Facebooktwittergoogle_plusredditpinterestlinkedin

Here’s why the hack we are participating in RHOK!

For several years now we have been supporting Random Hacks of Kindness (RHOK) as a sponsor. We did this because RHOK is a hackathon for social good: it brings together volunteer developers and tech-savvy do-gooders to work with charities, community groups and social enterprises. And for us it has been hacking good as it is the type of event that really highlights the role private companies can and need to play in their local communities.

This year, however, we decided to hack our support into participation and put in a team to help the cause hands-on. Our decision was motivated by a request from the RHOK organizers to be more active in the cause and I agreed to do so long as our project was Internet of Things (IoT) based. It was also time that we ate some of our own “dog food”. FYI: the term “eating your own dog food,” in the software industry, means using the code you’re developing for your own daily needs: basically, being a user as well as a developer or, in our case, a sponsor and a participant.

I met with my team so that we could begin prepping for our IoT project. I asked Brett Tackaberry, a good friend of mine who is very active in the Ottawa community, to go out and find a project. And found one he did and not just any project but one that has sensors, research and will run for a long time – at least we believe so. So far we have ordered the sensors, come up with a high level architecture and designed a User Experience (UX) for the Version 1. We are cheating a little here but had no choice as one weekend is not enough to prepare and build the prototype of our IoT solution!

You may be asking “What is this solution?” Well you will have to follow us on Twitter for updates to see what we are building. If you happen to be in the Ottawa area on the weekend of June 24th, I invite you to drop in to RHOK to see us and possibly help us or others out on our projects. You will also have the chance to see how matching up organisations that have a social impact with skilled technologists, who want to make a difference, can lead to developing open-source solutions to the challenges facing society today and tomorrow.

As a small R&D group, TwelveDot Labs is primarily focused on R&D in mobile, cloud and IoT. We are hired to evaluate  security for IoT technologies and on building cool technology solutions that incorporate both security and privacy. We intend to do for RHOK what we do for our clients: deliver a solution that works, is secure and private, and is, above all cost effective.

Facebooktwittergoogle_plusredditpinterestlinkedin

IoT is Active and Moving. Are you?

IoT is Active and Moving. Are you? 

The U.S. Department of Commerce recently cited that 200 billion connected devices will be deployed by 2020 with an accompanying economic impact in the trillions by 2025. This Internet of Things (IoT) represents a major transformation in a digital world that has the potential to affect everyone and every business.  As a result many companies are moving ahead on IoT projects with little consideration to the security or privacy issues that accompany IoT.

Many companies however do not have a specific solution in place to secure IoT devices, and some may not know if they have security policies on their devices. ForeScout® Technologies, Inc. recently announced the findings of its new “Enterprise Internet of Things (IoT) Survey.” This survey of 350+ Information Technology (IT) professionals assessed their organizations’ IoT security practices. The research revealed that while the majority of respondents acknowledge the growing number of IoT devices on their networks, they are unaware of how to properly secure them. Moreover, 85 percent of survey respondents lacked confidence in their ability to see connected devices as soon as they joined their networks, and almost a quarter of survey respondents said that they weren’t confident at all. When connected devices are left out of the security sphere, an organization’s attack surface becomes that much more vulnerable. The excuses for this scenario are many and the users of these companies solutions are potential digital crime victims; many of whom are never notified or even aware of the risks and dangers.

Today there is an added risk: spying.  As the Internet of Things (IoTs) become more commonplace more valuable data will be accessible through an ever-widening selection of entry points. Not only to hackers alone, but also to spy agencies like the National Security Agency (NSA).  So what is a developer or solution provider to do? Well it starts at the concept stage of considering how data is collected, processed, stored and destroyed. This is not only a software consideration but also hardware. At a high-level here is where you need start:

  1. What does your company policies and procedures state about your systems development life cycle (SDLC)?
  2. Does your SDLC provide at design/concept stage allocations for a Privacy Impact Assessment (PIA)  and Technical Risk Assessment (TRA) ? 
  3. Are your developers/programmers given security training?
  4. Do you perform background checks on developers/programmers?
  5. Where do you store your source code? And who has access to it?
  6. Where are your components sourced from and have you validated the firmware on these components and integrated circuits?
  7. Have you assessed the Third Party libraries for security issues and coding practices?
  8. Did you perform “threat modelling” of the proposed solution?

All of these aspects need to be considered as they are a benchmark for all of your solutions and must become part of your business culture. This also includes documenting all aspects of these elements, especially for meetings that deal with design decisions. Maintain a decision log/registry that is tied to the project. This can be referenced if and when a breach happens. It can also save your a$$ to provide you did the due diligence at design time. Your dev-ops, designers, and testers need to eat, think and breath private and secure design. Doing this up front will not only greatly reduce costs in the back end for support but also help avoid possible lawsuits.

At TwelveDot our goal is to help companies that are struggling to secure their mobile, cloud and IoT solutions. Connect with us to see how we can help you solve your security challenges.

Facebooktwittergoogle_plusredditpinterestlinkedin

Talking IoT Standards in Shanghai

This past week we had our 4th meeting of the ISO/IEC WG10 on IoT meetings. We are working towards writing ISO 30141 Reference Architecture for IoT. While, it is not easy to get many global experts to agree on such a broad topic it good to see so many of us attempting to find a common ground on IoT. We have had many issues over the years and it has take a while to over come of the conception concerns to what is required. However, it seems that we have started to work towards a common goal and are now more focused.

Some of the more contentious issues are:

  1. What does a conceptual model need to contain? With so many experts from a diverse backgrounds it is not easy. You get fixated in your vertical and its needs but we need to come with a model that represents the basic common elements to all IoT Systems. We are getting there but we still need to agree on level this diagram should represent.
  2. Terms and definitions is another one but if you have been around standards this is quite normal. With the content constantly changing in a Working Draft (WD) so to does the terms to ensure alignment to content and context of the topic.
  3. Dealing with other Standards Development Organizations (SDO)s and their view of IoT. While we need to respect each others perspective of IoT, we have to be keenly aware that we do not duplicate the work of others. This is much harder for IoT given the breath of technologies that it encompasses.

IMG_2884

I was grateful to our Chinese hosts from WSN who did invite me as a security expert to a panel on IoT. This event got lots of local press coverage and it was attended by over 200 delegates. One question from the audience was about security and what do companies need to do better. My usual response it that if your building something make sure you threat profile and have a SDLC that includes security and privacy at every stage of development. It will go a long way to ensure your product/service is more secure in-field.

Facebooktwittergoogle_plusredditpinterestlinkedin