The Internet of Things

"The Internet of Things" is now finding its way into mainstream conversation!

Once a term used mostly by MIT professors and those steeped in the privacy and security field, "The Internet of Things" is now finding its way into mainstream conversation. Loosely defined as the practice of equipping all objects and people in the world with wirelessly connected, identifying, computing devices, the term represents what could be a hugely transformational way of life.  

At one time, "The Internet of Things" probably sounded like science fiction; but today, it's becoming very real. Here are a few examples of where you can literally see, hear and almost feel this phenomenon occurring in some very ordinary places:

• TRENDnet marketed its SecurView video cameras as "secure." In fact, the cameras had faulty software that allowed anyone with the cameras' Internet addresses to hear and see what the cameras were capturing. In fact, more than 700 were hacked, creating live-streams of private locations and private moments online for the world to hear and see.      
• Google possesses possibly more data about consumers' online activities than any other organization (Facebook, Microsoft, IBM would probably be close behind.). Now it seems, the Internet giant is on track to know as much about your offline behavior. The company recently purchased Nest, which makes "smart" thermostats and smoke/fire alarms that track indoor-activity data. They have stated they plan to create many more of these types of smart gadgets. How much personal information will Nest share with Google, and how will that information be used?
• A range of smart-home and smart-car technology allows consumers the ability to control access and features of their houses and vehicles. But who else might gain the same level of control? And what will happen when "smart" cars and appliances can function on their own without human intervention? As this Guardian article contends, they will certainly be tempting to hackers.

CIO can be Chief Digital Officer?

It's difficult — if not impossible — to build great digital capabilities without linking to your existing IT capabilities and people

CIOs who do great things in leading IT soon gain extra responsibilities. By helping business leaders to improve their businesses, the CIO becomes an obvious candidate to fill any open role that involves technology, process, or strong governance. Some CIOs become CIO-Plus-COO or CIO-Plus-Head of Shared Services. Others gain new responsibilities in strategy, integration, or innovation.

But there is another leadership role that has arisen in many organizations in recent years: the Chief Digital Officer (CDO). In many companies, "digital" is a cacophony of disconnected, inconsistent, and sometimes incompatible activities.

It's commonly seen that company have three simultaneous mobile marketing initiatives, conducted by different groups, using different tools and vendors. Other companies have multiple employee collaboration platforms with different rules and technologies. The problem is exacerbated as business units do their own things digitally, or as companies hire vendors who can only do things their own way.

The CDO's job is to turn the digital cacophony into a symphony. It's OK to experiment with new businesses and tools, but experimentation must be coupled with building scalable, efficient capabilities.

The CDO creates a unifying digital vision, energizes the company around digital possibilities, coordinates digital activities, helps to rethink products and processes for the digital age, and sometimes provides critical tools or resources. That's why Starbucks — an early leader in all things digital — hired a CDO last year. And it's why many other companies are naming CDOs before they get too far along the digital road.

The title CDO may or may not become permanent in the company. But the responsibilities of the CDO will be required. You may appoint a temporary CDO to get your house in order, or you may develop other ways to get the job done.

Whatever approach you choose, you need to create appropriate levels of digital technology synergy, brand integration, investment coordination, skill development, vendor management, and innovation over the long term.

In an increasingly digitizing business world, most companies need better digital leadership and coordination. You need to create a compelling digital vision, coordinate digital investments, drive appropriate synergies, build a clean technology platform, and foster innovation. You need to energize a busy workforce and generate shared understanding in your senior executive team. 

10 Crazy IT Security Tricks That Actually Work

IT security threats are constantly evolving. It's time for IT security pros to get ingenious


Network and endpoint security may not strike you as the first place to scratch an experimental itch. After all, protecting the company's systems and data should call into question any action that may introduce risk.


But IT security threats constantly evolve, and sometimes you have to think outside the box to keep ahead of the more ingenious evildoers. And sometimes you have to get a little crazy.


10 security ideas that have been -- and in many cases still are -- shunned as too offbeat to work but that function quite effectively in helping secure the company's IT assets.


The companies employing these methods don't care about arguing or placating the naysayers. They see the results and know these methods work, and they work well.


Innovative security technique No. 1: Renaming admins


Renaming privileged accounts to something less obvious than "administrator" is often slammed as a wasteful, "security by obscurity" defense. However, this simple security strategy works. If the attacker hasn't already made it inside your network or host, there's little reason to believe they'll be able to readily discern the new names for your privileged accounts.


If they don't know the names, they can't mount a successful password-guessing campaign against them. Even bigger bonus? Never in the history of automated malware -- the campaigns usually mounted against workstations and servers -- has an attack attempted to use anything but built-in account names. By renaming your privileged accounts, you defeat hackers and malware in one step. Plus, it's easier to monitor and alert on log-on attempts to the original privileged account names when they're no longer in use.


Innovative security technique No. 2: Getting rid of admins


Another recommendation is to get rid of all wholesale privileged accounts: administrator, domain admin, enterprise admin, and every other account and group that has built-in, widespread, privileged permissions by default.


True, Windows still allows you to create an alternate Administrator account, but today's most aggressive computer security defenders recommend getting rid of all built-in privileged accounts, at least full-time. Still, many network admins see this as going a step too far, an overly draconian measure that won't work. Well, at least one Fortune 100 company has eliminated all built-in privileged accounts, and it's working great.


The company presents no evidence of having been compromised by an APT (advanced persistent threat). And nobody is complaining about the lack of privileged access, either on the user side or from IT. Why would they? They aren't getting hacked.


Innovative security technique No. 3: Honeypots


Modern computer honeypots have been around since the days of Clifford Stoll's "The Cuckoo's Egg," and they still don't aren't as respected or as widely adopted as they deserve. A honeypot is any computer asset that is set up solely to be attacked. Honeypots have no production value.


They sit and wait, and they are monitored. When a hacker or malware touches them, they send an alert to an admin so that the touch can be investigated. They provide low noise and high value. The shops that use honeypots get notified quickly of active attacks. In fact, nothing beats a honeypot for early warning -- except for a bunch of honeypots, called a honeynet.


Innovative security technique No. 4: Using nondefault ports


Another technique for minimizing security risk is to install services on nondefault ports. Like renaming privileged accounts, this security-by-obscurity tactic goes gangbusters. When zero-day, remote buffer overflow threats become weaponized by worms, computer viruses, and so on, they always -- and only -- go for the default ports.


This is the case for SQL injection surfers, HTTP worms, SSH discoverers, and any other common remote advertising port. Recently Symantec's pcAnywhere and Microsoft's Remote Desktop Protocol suffered remote exploits. When these exploits became weaponized, it was a race against the clock for defenders to apply patches or block the ports before the worms could arrive. If either service had been running on a nondefault port, the race wouldn't even begin.


That's because in the history of automated malware, malware has only ever tried the default port.


Innovative security technique No. 5: Installing to custom directories


Another security-by-obscurity defense is to install applications to nondefault directories. This one doesn't work as well as it used to, given that most attacks happen at the application file level today, but it still has value.


Like the previous security-by-obscurity recommendations, installing applications to custom directories reduces risk -- automated malware almost never looks anywhere but the default directories. If malware is able to exploit your system or application, it will try to manipulate the system or application by looking for default directories. Install your OS or application to a nonstandard directory and you screw up its coding.


Changing default folders doesn't have as much bang for the buck as the other techniques mentioned here, but it fools a ton of malware, and that means reduced risk.


Innovative security technique No. 6: Tarpits 


Today, many networks (and honeypots) have tarpit functionality, which answers for any nonvalid connection attempt. The only downside: Tarpits can cause problems with legitimate services if the tarpits answer prematurely because the legitimate server responded slowly. Remember to fine-tune the tarpit to avoid these false positives and enjoy the benefits.


Innovative security technique No. 7: Network traffic flow analysis


With foreign hackers abounding, one of the best ways to discover massive data theft is through network traffic flow analysis. Free and commercial software is available to map your network flows and establish baselines for what should be going where. That way, if you see hundreds of gigabytes of data suddenly and unexpectedly heading offshore, you can investigate.


Most of the APT attacks I've investigated would have been recognized months earlier if the victim had an idea of what data should have been going where and when.


Innovative security technique No. 8: Screensavers


Password-protected screensavers are a simple technique for minimizing security risk. If the computing device is idle for too long, a screensaver requiring a password kicks in. Long criticized by users who considered them nuisances to their legitimate work, they're now a staple on every computing device, from laptops to slates to mobile phones.


Innovative security technique No. 9: Disabling Internet browsing on servers


Most computer risk is incurred by users' actions on the Internet. Organizations that disable Internet browsing or all Internet access on servers that don't need the connections significantly reduce that server's risk to maliciousness. You don't want bored admins picking up their email and posting to social networking sites while they're waiting for a patch to download.


Instead, block what isn't needed. For companies using Windows servers, consider disabling UAC (User Account Control) because the risk to the desktop that UAC minimizes isn't there. UAC can cause some security issues, so disabling it while maintaining strong security is a boon for many organizations.


Innovative security technique No. 10: Security-minded development


Any organization producing custom code should integrate security practices into its development process -- ensuring that code security will be reviewed and built in from day one in any coding project. Doing so absolutely will reduce the risk of exploitation in your environment.


This practice, sometimes known as SDL (Security Development Lifecycle), differs from educator to educator, but often includes the following tenets: use of secure programming languages; avoidance of knowingly insecure programming functions; code review; penetration testing; and a laundry list of other best practices aimed at reducing the likelihood of producing security bug-ridden code.


Microsoft, for one, has been able to significantly reduce the number of security bugs in every shipping product since instituting SDL. It offers lessons learned, free tools, and guidance at its SDL website.


This story, "10 crazy IT security tricks that actually work," was originally published at InfoWorld.com.

Singapore Airport enhances airfield security with fibre-optic sensors

No system is fool-proof and perfect

Changi Airport will be the world's first airport to reinforce its perimeter fences with fibre-optic sensors to detect intruders.

More cameras will also be installed at airport boundaries, which will be integrated with the new multi-million-dollar defence system called AgilFence, made by Singapore Technologies (ST) Electronics.

Said Changi Airport Group's executive vice-president (airport management) Foo Sek Min: "No system is fool-proof and perfect."

"And as we review our existing perimeter protection, the introduction of this perimeter intrusion detection system will help us to have a better and faster response if there are any signs of intrusion."

The pressure-sensitive sensors are protected by an armoured casing to prevent tampering and for easy maintenance.

ST Electronics said the system is expected to last a decade, adding that it is immune to electromagnetic and radio frequency interferences, making it effective for deployment in an airfield.

The system is expected to be fully operational by end-2012.

Security analysis of Dutch smart metering systems

Smart metering must offer a security level as high as for money transfers - Dutch minister of Economic Affairs

Smart meters enable utility companies to automatically readout metering data and to give consumers insight in their energy usage, which should lead to a reduction of energy usage. To regulate smart meter functionality the Dutch government commissioned the NEN to create a Dutch standard for smart meters which resulted in the NTA-8130 specification.

Currently the Dutch grid operators are experimenting with smart meters in various pilot projects. In this project we have analyzed the current smart meter implementations and the NTA using an abstract model based on the the CIA-triad (Confidentiality, Integrity and Availability). It is important that no information can be attained by unauthorized parties, that smart meters cannot be tampered with and that suppliers get correct metering data.

It was concluded that the NTA is not specific enough about the security requirements of smart meters, which leaves this open for interpretation by manufacturers and grid operators. Suppliers do not take the privacy aspect of the consumer data seriously. Customers can only get their usage information through poorly secured websites. The communication channel for local meter configuration is not secured sufficiently: consumers might even be able to reconfigure their own meters.

Also, the communication channels that are used between the smart meter and gas or water meter are often not sufficiently protected against data manipulation. It is important that communication at all stages, starting from the configuration of the meter to the back-end systems and websites, is encrypted using proven technologies and protected by proper authentication mechanisms.

It is important that communication at all stages, starting from the configuration of the meter to the back-end systems and websites, is encrypted using proven technologies and protected by proper authentication mechanisms.

Refer here to download the full report.

Security and Prosperity in the Information Age

America's Cyber Future!

America’s growing dependence on cyberspace has created new vulnerabilities that are being exploited as fast as or faster than the nation can respond. Cyber attacks can cause economic damage, physical destruction, and even the loss of human life. They constitute a serious challenge to U.S. national security and demand greater attention from American leaders.

Despite productive efforts by the U.S. government and the private sector to strengthen cyber security, the increasing sophistication of cyber threats continues to outpace progress. To help U.S. policymakers address the growing danger of cyber insecurity, this two-volume report features accessible and insightful chapters on cyber security strategy, policy, and technology by some of the world’s leading experts on international relations, national security, and information technology.

Volume I

America’s Cyber Future: Security and Prosperity in the Information Age
By Kristin Lord and Travis Sharp

Volume II

Note: Chapters are bookmarked within the Table of Contents.

Chapter I: Power and National Security in Cyberspace
By Joseph S. Nye, Jr.

Chapter II: Cyber Insecurities: The 21st Century Threatscape
By Mike McConnell

Chapter III: Separating Threat from the Hype: What Washington Needs to Know about Cyber Security
By Gary McGraw and Nathaniel Fick

Chapter IV: Cyberwar and Cyber Warfare
By Thomas G. Mahnken

Chapter V: Non-State Actors and Cyber Conflict
By Gregory J. Rattray and Jason Healey

Chapter VI: Cultivating International Cyber Norms
By Martha Finnemore

Chapter VII: Cyber Security Governance: Existing Structures, International Approaches and the Private Sector
By David A. Gross, Nova J. Daly, M. Ethan Lucarelli and Roger H. Miksad

Chapter VIII: Why Privacy and Cyber Security Clash
By James A. Lewis

Chapter IX: Internet Freedom and Its Discontents: Navigating the Tensions with Cyber Security
By Richard Fontaine and Will Rogers

Chapter X: The Unprecedented Economic Risks of Network Insecurity
By Christopher M. Schroeder

Chapter XI: How Government Can Access Innovative Technology
By Daniel E. Geer, Jr.

Chapter XII: The Role of Architecture in Internet Defense
By Robert E. Kahn

Chapter XIII: Scenarios for the Future of Cyber Security
By Peter Schwartz

This study was co-chaired by Robert E. Kahn, Mike McConnell, Joseph S. Nye, Jr. and Peter Schwartz, and edited by Kristin M. Lord and Travis Sharp.

Download Volume I (PDF)
Download Volume II (PDF)

Dynamic Authentication - Visa Technology Innovation Program

New Technology Innovation Program is All About Secure Transactions

A move toward EMV can help merchants cut their security compliance costs

That's the message from Visa Inc., which last week announced the launch of the Visa Technology Innovation Program, which is designed to eliminate eligible international merchants from annual validations of their compliance with the Payment Card Industry Data Security Standard.

The goal: to encourage merchants to move toward dynamic data authentication, which EMV chip technology makes possible.

In order to qualify for the Technology Innovation Program, international merchants in EMV markets must prove that at least 75 percent of their transactions are EMV chip transactions. They also must validate previous compliance with the PCI-DSS, and they cannot have a breach of cardholder data history on their records. The program takes effect March 31.

Automobiles could be vulnerable to hackers

Cars' Computer Systems Called at Risk to Hackers

Tomorrow's Internet-connected cars could be vulnerable to hackers in the way computers are today, warn researchers at the University of Washington (UW) and the University of California, San Diego (UCSD). During a recent test, the researchers were able to remotely control a car's braking and other functions.

"We demonstrate the ability to adversarially control a wide range of automotive functions and completely ignore driver input--including disabling the brakes, selectively braking individual wheels on demand, stopping the engine, and so on," the researchers write. The researchers were also able to insert malicious software into the car and then erase any evidence of tampering.

"Taken together, ubiquitous computer control, distributed internal connectivity, and telematics interfaces increasingly combine to provide an application software platform for external network access," write the researchers.

Refer here for more details.

New Computer Interface Goes Beyond Just Touch

Manual Deskterity combines a touch with the trusty pen

Microsoft researchers have developed Manual Deskterity, a computer interface that combines touch input with the precision of a pen. The prototype drafting application, designed for the Microsoft Surface tabletop touchscreen, enables users to perform touch actions such as zooming in and out and manipulating images, but they also can use a pen to draw or annotate those images.

Manual Deskterity also allows users to touch an image onscreen with one hand while using the pen in the other hand to take notes or perform other actions that pertain to that object. Users need to learn more tricks to use Manual Deskterity, but the natural user interface should ease the learning curve by engaging muscle memory.

"This idea that people just walk up with an expectation of how a [natural user interface] should work is a myth," says Microsoft research scientist Ken Hinckley. The researchers also plan to adapt the interface for use with mobile devices. Incorporating only touch input into devices is a mistake, according to Hinckley, who believes that pen and touch interactions can complement each other.

Refer here for more details.

Putting the Touch Into Touchscreens

How a person's brain interprets the sense of touch?

Researchers are studying new haptics technologies and how a person's brain interprets the sense of touch. For example, Marie Curie University researchers are developing a system that uses surface vibrations to generate sensations of texture. By changing the frequencies of the vibration, the researchers are able to make the surface feel rougher or smoother.

Meanwhile, Mexican computer engineer Gabriel Robles De La Torre is using vibrating surfaces to simulate sensations of sharpness by using motors to create lateral movement to a smooth, flat surface. The technique produces a change in the resistance a user's finger feels as it moves across a certain part of the screen, which is perceived as a sharp edge. Northwestern University engineer Ed Colgate is using vibrations to make objects feel more slippery. His system vibrates their surface at a very high frequency with an amplitude of about two micrometers.

University of Exeter's Ian Summers uses a force-feedback system featuring pressure-sensitive nerves instead of stretch-sensitive ones. The system is able to simulate the feel of several materials. And McGill University's Yon Visell has developed a novel surface designed to simulate walking on different types of ground, such as solid ground, gravel, or sand.

Refer here to read more details.

Launch of First Operating System for Smart Grid Home Automation

Open software platform for energy management


The Fraunhofer Institute for Wind Energy and Energy System Technology (IWES) has founded the Open Gateway Energy Management Alliance (OGEMA) to promote an open energy management software platform that connects a customer's loads and generators to the control stations of the power supply system while also featuring a customer display for user interaction.


The software platform will enable end customers to automatically see the future variable price of electricity and shift energy consumption according to supply. Already today electricity is for free on the German Energy Exchange at times when large power plants have to be derated due to high feed-in from wind power. Using automated load-shifting, private households and small business should also benefit from such favorable electricity prices. Through the gateway platform's open nature, anyone will be able to convert concepts into software, even if they are not OGEMA participants.


The initiative involves the rapid development of numerous applications that will encompass the unique needs of private households, supermarkets, small businesses, and public institutions and help to harness the potential for energy efficiency which is not currently available. The OGEMA-provided interfaces also can be used by the developers of driver software for linking the gateway to devices and energy systems within the building as well as to the control stations of the energy suppliers.


Refer here for further details.

By 2040 You Will Be Able to Upload Your Brain...

"a person's entire personality, memory, skills and history", by the end of the 2030s

Inventor and visionary Ray Kurzweil has drawn admiration and scorn in equal measure for his prediction of imminent revolutionary innovations such as the overtaking of human intelligence by artificial intelligence, three-dimensional printers that can fabricate physical objects from a data file and cheap input materials, and an indefinite lifespan free of senescence.

He anticipates that it will be possible to upload the human brain from a computer by the end of the 2030s, while human intelligence will evolve through technological enhancement to the point where it will start to expand outward to the universe in the 2040s. Kurzweil is the author of a book, The Singularity is Near: When Humans Transcend Biology, in which he envisions a singularity, or what he calls "a future period during which the pace of technological change will be so rapid, its impact so deep, that human life will be irreversibly transformed."

The singularity hinges on the exponential rate at which technology is advancing, according to Kurzweil. He is a director of the nonprofit Singularity Institute for Artificial Intelligence, which is touted as "the only organization that exists for the expressed purpose of achieving the potential of smarter-than-human intelligence safer and sooner."

Refer here to read the interesting research.