1 year ago


disruptive revolution

disruptive revolution TARGETING THE VULNERABLE THE INTERNET OF THINGS IS DISSOLVING THE WALL BETWEEN THE PHYSICAL AND VIRTUAL WORLDS. YOTAM GUTMAN, VP, MARKETING, SECURITHINGS, CONSIDERS HOW THIS IS LEAVING THE YOUNG AT RISK FROM PREDATORS People think cybersecurity is the risk that comes from someone stealing something that we hold: money, information, even our identity. For the last three decades, as we've left more online footprints, we've learned to pay attention to securing ourselves and those we love online. We now know not to use simple passwords or share intimate details with strangers and we've tried to pass this knowledge on to our children, so that they will remain safe online as well. But now we are facing an even more disruptive revolution: IoT. The Internet of Things means that the wall between the physical world in which we live and the virtual world where we conduct business transactions or seek amusement is dissolving. Smart devices are all around us now. The number of connected devices recently surpassed that of humans living on earth and the numbers are expected to grow threefold by 2020. Soon, connected devices will be implemented in our daily environment and will provide us with many benefits, including better safety, comfort and efficiency. However, connected devices open our homes to a different problem: the devices may be used by predators to spy on, record, trade and store private and illicit materials. GROWING RISK The recent Demos report, 'Technology Briefing Series: Child Sexual Abuse Imagery', states the IoT is creating new opportunities for sex offenders and the risk is set to grow in the coming years. One of the methods described in the report involves perpetrators remotely storing inappropriate images of children on smart, connected devices. According to the report: "Unsecured Internet of Things devices (such as a smart TV) act as safe repositories of images, without the knowledge of the device owner." Criminals use this tactic to reduce the chances of being caught by law enforcement agencies and, in case of an arrest, to deny the existence of such materials. In the UK, the Criminal Justice Act 1998 - section 160(1), outlaws the possession of an indecent photograph or pseudo-photograph of a child. Even though possession of images carries a lesser sentence than distributing or producing, it is still a substantial offence that can lead to five years in prison. In addition to storing images, connected devices could be used to produce such imagery by criminals able to remotely tap into home camera feeds and record children. Since these images are essentially a live feed filmed without the victim's awareness, they can be worryingly intimate. Connected 32 computing security May/June 2018 @CSMagAndAwards

disruptive revolution (Right) Yotam Gutman: shifting to an 'always on, always connected' world is something no one has prepared us for. devices can also be used by more motivated predators to stalk their potential victims in real life; for example, they might be able to identify when the parents are not home and the child is vulnerable. Much emphasis has been made lately on the risks of webcams. Parents know that they are risky, so they implement solutions such as monitoring their kids' activities around laptops and instructing them on how to behave. Nevertheless, people are still oblivious to the dangers of connected cameras, most of which are installed using default passwords that allow even novice hackers to connect to them and view private feeds. Some cameras have built-in vulnerabilities and backdoors that enable remote access, even if properly configured. DEVICES MONITORED Unfortunately, consumers have no way to discern which cameras are the most secure. As such, it is the responsibility of the service provider to monitor the device's behaviour (while respecting the consumer's privacy) and determine if suspicious behaviour is taking place. Such activity should be flagged and, if need be, mitigated by blocking the device's access to certain IP addresses. The owner of the device must also be notified, so that they do not expose their families to risks or become culpable for stored illicit images they know nothing about. Even if we agree that inviting greater connectivity into our homes is welcome, we must be aware of the risk involved. We must adopt a more 'corporate' mentality of evaluating risks and devising action plans. For instance, if the perceived risk of a smart device is too high for the home environment, it should be either left unpurchased or thoroughly examined and configured for maximum security and privacy. With ever more connected devices entering our home, it is not inconceivable that other standard practices in the IT/corporate environment will also be adopted by the consumer. For instance, security advisors might one day conduct risk surveys before installing such devices or invite a 'red team' to conduct pen-testing on homes and devices. LIABILITY AND RESPONSIBILITY We will also likely see a growing demand for greater liability and responsibility on the part of the IoT service provider. Just as an enterprise conducts third-party risk evaluations and demands certain performance, availability and security standards from its providers, so will consumers demand the same, if not higher, levels of assurance from their service providers. Shifting to an 'always on, always connected' world is something no one has prepared us for. As is the case with most technological advancements, and especially those connected to the use and adoption of the internet, dubious players are much faster to adopt than mainstream consumers (think online porn, gambling, credit card fraud and spam). This creates an uneven playing ground where malicious actors are able to benefit from the lack of awareness and available security solutions. It is up to the security industry, authorities/ regulators, and the general public to ensure that this will not be the case with IoT. The risks are higher, and we must prevent predators from invading our homes and threatening our children. @CSMagAndAwards May/June 2018 computing security 33