Welcome!

@ThingsExpo Authors: Yeshim Deniz, Pat Romanski, Liz McMillan, Elizabeth White, Zakia Bouachraoui

Related Topics: FinTech Journal, Cloud Security, @DXWorldExpo, @ThingsExpo

FinTech Journal: Article

When Things Attack! | @ThingsExpo #IoT #M2M #API #Security

The hacking game has changed

As I started writing this blog, I happened to be watching an episode from the new season of Black Mirror on Netflix. Black Mirror is a Sci-Fi anthology series, ala the Twilight Zone, although with a much darker perspective on both humanity and technology. I found the episode, ‘Most Hated in the Nation' somewhat apropos to my topic. The episode follows a police detective investigating the apparent murder of a columnist. This individual has been deluged with social media hate diatribes that would seem familiar to many. As the investigation continues, more mysterious deaths occur, with the victims all being targets of similar social media anger. Meanwhile, in the background, there are various news stories and visual cuts to ADIs (Autonomic Drone Insects). These tiny bee-like drones are being deployed throughout the country to replace the dying bee population, allowing for the continued pollinizing of crops.

Spoiler alert! As you can probably guess, it turns out someone was able to hack into the ADIs to pervert their actual purpose. The drones were killing the individuals in a rather gruesome fashion and the killer was using the social media hate to target his victims. There was the obligatory arguments from the manufacturers that the ADIs could not be hacked.... pause for effect...except for the back doors the government forced them to put in so the drones could be used for surveillance. Then enter the standard disgruntled employee who leveraged the back doors to make a very public and violent social statement about spewing hate in social media without consequences. (As I mentioned, Black Mirror takes a very dark view on both humanity and technology in most of their episodes.) The killer hacked millions of small intelligent devices, and turned them into weapons.

The recent Internet outage, a new kind of attack
On Friday morning, October 21, the first of several DDoS (Distributed Denial of Service) attacks on the core DNS infrastructure of the Internet on the East coast occurred. This attack caused significant outages for major internet sites such as Twitter, Spotify, Reddit, and Amazon. I was working remotely for a client and felt the impact directly. The client provides consultants access to their internal environments via Amazon Workspace. On Friday morning, we could not get access to that environment while the attack was occurring, which, as you can imagine, made for a very frustrating day.

DDoS attacks are not a new phenomenon. However, there were several key things that made this one a little different:

  • Most DDoS target a specific website or company. This one targeted a key part of the internet infrastructure, DNS, provided by a particular vendor, Dyn. This resulted in it having much broader reach and impact.
  • Dyn described the attack as a "very sophisticated and complex attack." As Dyn took mitigation steps against the attack, it would change, and adapt, making their efforts to respond much more difficult. They would start blocking the attack from one area, and very shortly, new IP addresses from a completely different part of the world would start attacking.
  • The attack was coming from tens of millions of discreet IP addresses from around the world. In the past, these kind of attacks came from hijacked computers and laptops that had been infected with malware. This attack went further. Besides the same hijacked computers, this attack also used infected "Things" from the Internet of Things. Devices like DVR's, webcams, baby monitors, and home routers.

Mr. President, they are using our own devices against us
Okay, I admit, a little corny, but the point is a valid one (bonus points if you can identify the movie I am paraphrasing). The Internet of Things (IoT) is growing at astronomical rates. Gartner predicts that by the end of this year there will be over 6.4 billion "things" on the Internet, up 30% from last year. They estimate we are currently adding 5.5 million devices every day. A common topic of discussion and concern in the IoT space is security. As those that frequently read my articles know, this is a topic near and dear to my heart, quite literally. I have a pacemaker and insertable cardiac monitor in my chest (see my recent blog, ‘Musings on the Internet of Things - I am now a Thing'). Whenever the words IoT and Security show up in my newsfeed, I pay attention.

Most often when discussing security concerns related to the Internet of Things, the conversation tends to focus on two aspects:

  • The increased attack surface: All of these devices extend the attack surface of networks, providing more potential entrée points into a corporate network.
  • The potential lack of solid security implementation in these devices. Many devices still ship with standard default username/passwords, and sadly, many users never bother changing them (see my blog ‘Hacking and the Internet of Things' for some detailed descriptions of this).

This attack takes the first item of concern, attack surface, and completely flips it on its head. Instead of worrying about the devices acting as an entrée point to access data, we now have to worry about the devices being an actual tool and weapon in the attacks themselves. While not going to the extreme level of the Black Mirror episode I mentioned at the beginning, the hackers have started weaponizing our Things on the Internet. They are using them against us. The hackers are able to accomplish this in large part due to the second item of concern I mentioned. The lack of security implementations on many devices is a continuing struggle in the world of the Internet of Things. Balancing consumer ease of use with security is like walking a tightrope over a tank full of hungry sharks. Striking that balance is never easy.

No, the Things are not going to destroy civilization as we know it
This is not meant to be a doomsday prophesy. I do not subscribe to the dark view of humanity and technology displayed in Black Mirror. The Internet of Things, like any disruptive technology, has the ability to turn our viewpoints and paradigms on their heads. Last week's attack is a prime example of that. Given the raw numbers, the Internet of Things genie is out of the bottle, and there is no putting it back in. No technology negates the need for good design and planning. Those designs and plans must always include security as a key area of focus.

As technologists, we need to look at security from a different perspective. We have to think about the potential hackers differently. In the old paradigm, it was simple: protect the data, protect the boundaries of the data centers. That is still valid and needs to be done. But in addition, we need to look through the lens of disruptive technologies and work with vendors to implement stronger security measures on their devices. Work with educating end users about their use of these devices, ensuring they do not compromise them in the name of ease of use. We also need to look at other new disruptive technologies that could help in this battle. For example, machine learning is starting to be looked at as a tool that might help identify and respond to a security breach, adapting to changing attack patterns.

Ultimately, security in the world of technology is always a delicate balancing act between access, usability, and protection. It is critical to understand the risks, work with the business to educate them on the balance/tradoffs, and take the appropriate measures to ensure the proper balance is maintained. Oh, and if you hear a bee buzzing near your head, ignore it, I am sure it's nothing.

Register for @CloudExpo/@ThingsExpo 'FREE' Before Friday! Here

@ThingsExpo - The World's Largest 'Internet of Things' Event, November 1-3, 2016, at the Santa Clara Convention Center!

Secrets of Sponsors and ExhibitorsHere
Secrets of Cloud Expo SpeakersHere

All major researchers estimate there will be tens of billions devices - computers, smartphones, tablets, and sensors - connected to the Internet by 2020. This number will continue to grow at a rapid pace for the next several decades.

@CloudExpo / @ThingsExpo 2016 Silicon Valley
(November 1-3, 2016, Santa Clara Convention Center, CA)

@CloudExpo / @ThingsExpo 2017 New York
(June 6-8, 2017, Javits Center, Manhattan)

With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @CloudExpo | @ThingsExpo, November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be.

Register for @CloudExpo/@ThingsExpo 'FREE' Before Friday! Here

Track 1: Enterprise Cloud & Digital Transformation
Track 2: Microservices | Cloud Hot Topics
Track 3: Internet of Things & Cloud
Track 4: APIs & Cloud Security
Track 5: Big Data Analytics
Track 6: DevOps, Continuous Delivery & Containers
Track 7: Enterprise IoT & IIoT
Track 8: IoT Developer
Track 9: Consumer IoT | IoT Hot Topics

Delegates to Cloud Expo | @ThingsExpo will be able to attend 9 simultaneous, information-packed education tracks.

There are over 120 breakout sessions in all, with Keynotes, General Sessions, and Power Panels adding to three days of incredibly rich presentations and content.

Join @CloudExpo | @ThingsExpo conference chair Roger Strukhoff (@IoT2040), June 7-9, 2016 in New York City, for three days of intense 'Internet of Things' discussion and focus, including Big Data's indispensable role in IoT, Smart Grids and Industrial Internet of Things, Wearables and Consumer IoT, as well as (new) IoT's use in Vertical Markets.

About SYS-CON Media & Events
SYS-CON Media (www.sys-con.com) has since 1994 been connecting technology companies and customers through a comprehensive content stream - featuring over forty focused subject areas, from Cloud Computing to Web Security - interwoven with market-leading full-scale conferences produced by SYS-CON Events. The company's internationally recognized brands include among others Cloud Expo® (@CloudExpo), Big Data Expo® (@BigDataExpo), DevOps Summit (@DevOpsSummit), @ThingsExpo® (@ThingsExpo), Containers Expo (@ContainersExpo) and Microservices Expo (@MicroservicesE).

Cloud Expo®, Big Data Expo® and @ThingsExpo® are registered trademarks of Cloud Expo, Inc., a SYS-CON Events company.

More Stories By Ed Featherston

Ed Featherston is VP, Principal Architect at Cloud Technology Partners. He brings 35 years of technology experience in designing, building, and implementing large complex solutions. He has significant expertise in systems integration, Internet/intranet, and cloud technologies. He has delivered projects in various industries, including financial services, pharmacy, government and retail.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


IoT & Smart Cities Stories
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
Digital Transformation is much more than a buzzword. The radical shift to digital mechanisms for almost every process is evident across all industries and verticals. This is often especially true in financial services, where the legacy environment is many times unable to keep up with the rapidly shifting demands of the consumer. The constant pressure to provide complete, omnichannel delivery of customer-facing solutions to meet both regulatory and customer demands is putting enormous pressure on...
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...
The standardization of container runtimes and images has sparked the creation of an almost overwhelming number of new open source projects that build on and otherwise work with these specifications. Of course, there's Kubernetes, which orchestrates and manages collections of containers. It was one of the first and best-known examples of projects that make containers truly useful for production use. However, more recently, the container ecosystem has truly exploded. A service mesh like Istio addr...
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
Charles Araujo is an industry analyst, internationally recognized authority on the Digital Enterprise and author of The Quantum Age of IT: Why Everything You Know About IT is About to Change. As Principal Analyst with Intellyx, he writes, speaks and advises organizations on how to navigate through this time of disruption. He is also the founder of The Institute for Digital Transformation and a sought after keynote speaker. He has been a regular contributor to both InformationWeek and CIO Insight...
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
To Really Work for Enterprises, MultiCloud Adoption Requires Far Better and Inclusive Cloud Monitoring and Cost Management … But How? Overwhelmingly, even as enterprises have adopted cloud computing and are expanding to multi-cloud computing, IT leaders remain concerned about how to monitor, manage and control costs across hybrid and multi-cloud deployments. It’s clear that traditional IT monitoring and management approaches, designed after all for on-premises data centers, are falling short in ...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
Dynatrace is an application performance management software company with products for the information technology departments and digital business owners of medium and large businesses. Building the Future of Monitoring with Artificial Intelligence. Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more busine...