• Who's Watching You Sleep?

        Nov 25 2014, 10:48 PM

        by Brook Chelmo 1

        Thanks to George Orwell’s classic book 1984, I graduated High School thinking I would eventually live in a world monitored and suppressed by world governments.  In the wake of the PRISM scandal in 2013 I started to get the feeling that Orwell’s dystopian novel was looking like an ill-timed prophesy.  In light of comedian Pete Holms’ rant on how Privacy is Uncool, it is little brother (us) leaking our secrets; no one has to steal them from us.  If you thought unmanaged Social Media privacy settings were bad, how much would you cringe if you knew you were letting people watch you sleep?  Welcome to the perils of the Internet of Things (IoT).

        Up until very recently a number of security camera manufactures were shipping internet connected cameras (AKA IP cameras) with default passwords.  Many of these passwords were never changed by the purchaser after setting them up.  It was only a matter of time that someone would set up a website displaying many of these feeds (Up to 73K at its peak). 

        Let me introduce Insecam, the website dedicating to not only showing you the unrestricted feeds of home and commercial security cameras but also to where they are located with all of the admin and password information.  In addition to this they have social plugins that let you share your favorite feeds with your community.  Ultimately taken from the pages of the improving-through-shaming security book, this site claims to seek the end of default passwords yet places advertisements conveniently next to navigation icons.

        Sleep edit.jpg

        On my review of the site, I saw mundane shots of doors and walkways and more mild scenes of people working the front counters of gas stations and dry-cleaners.   With a chill down my spine I saw a bartender drinking the profits and an overhead shot of a girl scrolling through a fashion site.  What startled me was the shear amount of cameras in bedrooms, a no-no in my world.  Granted that a majority of these were aimed at cribs but the alarming part was the number of unsecured cameras pointed at hospital patients, adult beds, living rooms, and private hot tubs.  Sadly, various online forum contributors claim to have found dead bodies and adults in very private or intimate situations.  Situations like this define the need for better security in the internet of things landscape.

        No matter what colored bucket of hacker you place the Insecam’s creator into, they have exposed a gaping hole in the IoT landscape.  In 2011 there were over 9 Billion devices connected to the internet and by the year 2020 it is expected that number will be close to 24 billion.  This is a cause for concern for manufactures and companies like Symantec and a potential bonanza for hackers.  As more and more things come online, we are discovering new vulnerabilities and how some security practices are becoming out of date.  There are obstacles with current security practices but there are ways to overcome them.

        Better Password Management

        I’m not a fan of passwords.  Since we have to live with them we have to learn how to use them.  I wrote a fun mocku-blog on password best practices for you to loathe and share.  Passwords are a very weak form of security and Insecam proved that.  Two Factor authentication can be used to install and access IP camera feeds via a computer or mobile device.  If you have the time, take a peek at this white paper from Symantec on digital certificates used for authentication. 

        When it is all said in done, Insecam victims used default ports and passwords and were most likely discovered by an IP address surfing tool.  A simple change of the password would eliminate them from the site but it could still be guessed by a serious stalker.  Keep in mind that passwords are the number one thing sought after by hackers since we often use the same ones on multiple sites.  Here is how they do it.

        Encryption; an IoT solution

        As a best PKI practice, all data SHOULD be encrypted in transit and at rest between a Host and Client.  If the device manufactures enabled encryption of the data, only the end user could review the video stream with client authentication.  This would slow the feed a bit but it would secure the connection.  If marketers want to instill trust in their internet connected devices they need to consider implementing a security promise with their messaging.  So how can they encrypt a live feed?

        My engineering buddy and counterpart Frank Agurto-Machado recommends the use of embedding a private SSL ROOT CA within each device.  The connection between the manufacture’s infrastructure and the camera would be secured and encrypted via client authentication to this private SSL root.  Ultimately, this may increase the cost of a device but it would help better ensure security.  While this DOES NOT remedy the Password hijacking, it secures the model from point-to-point between the “client” and the host.  Symantec offers Private CAs to enterprises that need customized encryption for server to server communication or for applications such as this. 

        The Security Trade-Off

        Balance Act_0.jpg

        Throughout the course of world history humans have always had to juggle between access and fortification when it comes to security.  Our ancestors had to find a way to secure a food hoard that would not take hours to hide or cover.  Castles had to ensure soldiers and citizens could pass freely yet survive a siege.  Anti-virus software on your PC has to allow you to quickly surf the internet but check and possibly restrict all incoming traffic.  Manufactures within the IoT space have to learn how to balance these two and improve customer messaging to assist them in setting up a trustworthy and secure devices.

        Edit:  Since the writing of this blog insecam has been shut down.  From appearances it appears to be taken down by a third-party hacker.

        • Products
        • website security solutions
        • Symantec Website Security
        • encryption
        • passwords
        • password
        • Identity and Authentication Services
        • IoT
        • DigiCert Code Signing
        • white hat
        • VIP (Validation ID Protection)
        • Products and Solutions
      • Hackers Playing Grinch Could Dampen Your Holiday Sales

        May 18 2016, 6:57 PM

        by Russell Roering 1

        hackers grinch thomas hawk flickr.jpg

        As the holiday shopping season descends upon retailers and shoppers, storm clouds of apprehension from recent data breaches continue to darken the perception of safety among some consumers. A recent study conducted by and reported on by Huffington Post found that 45% of gift-grabbing respondents would “definitely not” or “probably not” shop at major retailers that suffered data breaches this year. The study also noted that 48% of shoppers said they would use cash instead of debit or credit cards, due to the high number of recent data breaches.

        Given that retailers depend on holiday sales to meet their annual goals, losing nearly half of its holiday customer base either online or at a brick-and-mortar store could have devastating financial implications for these outlets. Make no mistake: Trust drives sales. And as the data above shows, once that trust is shaken, it can be difficult to rebuild.

        Double check the security of transactions

        Organizations need to focus on both continuing to shore up their defenses and their customers’ trust, as today’s vulnerability could be tomorrow’s casualty. During the holiday season, the temptation for hackers is at its highest. Below are a few steps your organization’s IT department should consider putting in place to ensure security this holiday season:

        • On-site security. Online retailers should help consumers feel safe right away when visiting their site.This can be done by using the Extended Validation (EV) SSL green address bar, Always On SSL (AOSSL) throughout the entire shopping experience, and posting the Norton Secured Seal at any areas where the consumer needs to make a decision (e.g. login, order page, payments page)
        • Secure data transfer. Various studies have shown that 56% of all data breaches could be stopped by having encryption protecting network data. Use network security solutions (even between internal corporate networks) such as Symantec Endpoint Protection to harden endpoints, encrypt data, and provide layered protection against malware.
        • Train employees to spot social engineering. Remember, many attacks happen due to “social engineering”: Manipulation of people into performing actions or divulging confidential information. Hackers being able to attack one employee’s computer can leave the remainder of the internal network at risk of exposing critical data or protection between individual parts of the corporate network is just as important.
        • Integrate with the company’s crisis communication plan. IT can help the overall crisis communications plan by developing “dark pages” on the corporate website. Dark pages should include pertinent contact information and communication channels which could be pushed live in the wake of a breach. Pages should also include frequently asked questions and placeholders for answers to quickly get facts out ahead of third-party articles, opinions from experts and a spike in brand conversation on social media channels.

        Respond promptly to any issues

        Because of this loss of trust, IT security staff of breached retailers should be especially vigilant during the holiday season; becoming deeply involved in helping the organization repair besmirched trust with customers to reinforce the assurance of safe shopping will be critical to this process.  If your organization happens to experience a breach during the holidays, or even during the rest of the year, here are a few steps IT can take to help to restore trust:

        • Create an online support forum on the corporate website which is easily located and visible to provide customers with official information regarding the breach your organization suffered, a way to report fraudulent activity (some states even require this), and a way to notify the organization directly if they suspect another breach has taken place. Respond to all serious inquiries and assume any could be legitimate.
        • Anticipate questions and lend expertise to help guide restorative messaging to customers. IT is uniquely positioned on the front lines of a breach, which is important at the moment of breach, but we become important again in offering customers assurance post-breach.
        • Spread the word. Provide communications both on the corporate website as well as on the company social media channels to explain how the company took steps to manage security. Also note that this messaging should be Legal- and CISO-approved.
        • Be mindful of new threats from scammers looking to take advantage of potential vulnerabilities in the wake of a breach. IT can aid the investigation, reporting and communicating with the public and board members about damaging content.
        • Learn from a breach. In the days and weeks after a breach, share website referral traffic stats with the security response team to help guide a post-breach communication and monitoring strategy for the future. For example, finding that a great number of users clicked links to your website from a single news outlet or social network.

        The holidays are by far the most critical time for retailers to be thinking about security, but it shouldn’t be the only time. Breaches can happen out of the blue; use your position in IT to help keep grinches at bay and keep your customer’s information—and their trust in your business—secure. Breached organizations should follow these guidelines year-round, disclosing breaches quickly and transparently, and keeping the communication focus on protecting users in the future.

        • Products
        • Symantec Security Insights Blog
        • Data Breach
        • Symantec Enterprise Security
        • Thought Leadership
        • SSL verification
        • Symantec Website Security
        • DigiCert Code Signing
        • Endpoint Protection
        • Trust Services
      • To protect your enterpise, protect your vendors

        Nov 10 2014, 10:04 PM

        by Teresa Law 2

        We talk a great deal about using strong authentication to secure access for enterprise employees, but often we don’t think about how breaches to vendors could make our own enterprise vulnerable.  In some cases all an attacker needs is to steal the username and password from a vendor to begin their attack on your enterprise.  That is exactly what happened to Home Depot; and it is an excellent example of why not only you, but also your outside vendors should be using strong authentication like Symantec VIP – Home Depot hackers exposed 53 million email addresses.  This kind of breach not only damages customer trust but also Home Depot estimates that the theft would cost about $62 million.

        “According to Home Depot, the attackers stole login credentials from an outside vendor and used this information to infiltrate Home Depot’s systems. They could then move from a peripheral third-party vendor system to the company’s main computer network by exploiting a Windows vulnerability. Microsoft released a patch for this bug after the breach began, but while Home Depot applied the patch when it was released, it was too late. The attackers could then move to more Home Depot computers, eventually reaching 7,500 of the company’s POS terminals at self-checkout lanes. However, the attackers may have missed 70,000 of the retailer’s standard cash registers as these terminals were only identified by numbers.

        The attackers moved through Home Depot’s network during regular business hours and used malware that stole data, transmitted details to a remote location, and deleted its traces. According to the investigation, the breach could have gone unnoticed for much longer if the attackers hadn’t put some of the stolen credit card details on sale while a number of Home Depot executives were on vacation for Labor Day. “

        The Symantec Internet Threat Report highlighted how attackers are using smaller businesses and the supply chain to attack larger entities - the Home Depot attack dramatically reinforces this finding.  Attackers are becoming more relentless, using multiple avenues to stage attacks.  Enterprises need to engage in a layered security approach to mitigate the risk.  A mandatory first step is ensuring that not only your enterprise but your vendors are securing access to their networks and applications.  Symantec VIP is a simple, smart, and secure way to easily add a second layer of protection to secure access.  A username and password may be compromised but a secure second factor will not.

        • Products
        • Identity and Authentication Services
        • VIP (Validation ID Protection)
        • Identity Access Manager
        • Products and Solutions
        • Managed PKI for SSL