Fatal Disasters: Hacking the Internet of Things

Shutterstock photo

Submitted by Wall St. Daily as part of our contributors program

Fatal Disasters: Hacking the Internet of Things

cybersecurity

It’s just a matter of time before we move from hacked elections to hacked hospitals. And that’s when the body count starts.

Dear Wall Street Daily Reader,

We haven’t heard much out of Trump Tower about cybersecurity during the presidential transition.

Of course, there’s no reason for The Donald to draw even more attention to things like Russia’s global hacking activities, which, to hear aggrieved Democrats tell it, are the sole cause of Hillary Clinton’s loss.

Funny thing is, whether or not Vladimir Putin won the election for Donald Trump is just commentary after a game now relegated to the dustbin of history.

All the pearl-clutching notwithstanding, the Integrity of Our Democracy has long since been compromised by more prosaic factors such as money, greed, and power.

Here’s another cold, hard reality: There are bigger threats out there . . . threats that can literally kill you.

For Instance: Check out ” what every browser knows about you .”

Really, click through the link. There you’ll find exactly what happens when you’re connected to the internet.

As Mark Frauenfelder of Boing Boing notes, “any website you visit” is able to figure out “your location, operating system, browser plugins, previously visited web page, local and public IP, service provider, social media networks you are logged into, devices on your local network, and more.”

Good news, though: There are also ways to cover your trail. “The site also shows you,” Frauenfelder writes, “how to hide any of this information that you don’t want to reveal.”

So Russia may or may not have hacked the U.S. presidential election.

Here’s another cold, hard reality: There are bigger threats out there… threats that can literally kill you.

What we can be more certain of – via Slashdot, which links to a CNNMoney story, may or may not be more credible than the U.S. Intelligence Community – is that Russian hackers are capable of skimming about $5 million a day through an online video advertising scam.

Startup cybersecurity company White Ops sniffed out the fraud. Here’s its report on the Methbot operation, “the largest and most profitable ad fraud operation to strike digital advertising to date.”

Until December 20, when White Ops published its report, the total haul was around $180 million.

There’s also news via Slashdot that “Aircraft Entertainment Systems Hacks Are Back”:

Researchers at IOActive today disclosed vulnerabilities in Panasonic Avionics in-flight entertainment systems that were reported to the manufacturer close to two years ago. The flaws could be abused to manipulate in-flight data shown to passengers, or access personal information and credit card data swiped at the seat for premium entertainment or internet access. Given that the firmware is customizable and used by dozens of airlines in hundreds of aircraft models, the researchers said it’s almost impossible to determine whether the vulnerabilities no longer exist across the board.

This is really just nuisance-type stuff – theft, inconvenience, and a pain in the ass. You can recover from it.

Though he had no idea how ironic it would read when he said it at the RSA cybersecurity conference back in February 2014, Director of the Federal Bureau of Investigation James Comey noted: “The fact of the matter is that the United States faces real threats from criminals, terrorists, spies, and malicious cyber actors.”

So Jim, what do we do about it?

“The private sector,” Comey said earlier, in a statement read prior to his testimony before the Senate Committee on Homeland Security and Governmental Affairs in November 2013, “is the key player in cybersecurity. Private-sector companies are the primary victims of cyberintrusions. And they also possess the information, the expertise, and the knowledge to address cyberintrusions and cybercrime in general.”

There’s a big problem with this analysis, particularly when it comes to the proliferation problem that is the internet of things (IoT).

As we wrote in the August 16, 2016, Wall Street Daily , device-makers put profits ahead of security. In fact, research by authentication provider Auth0 found that 85% of IoT developers admitted to being pressured to get a product to market before adequate security could be implemented.

This is really just nuisance-type stuff, theft, inconvenience, and a pain in the ass. Stuff you can recover from.

Pretty sure the digital advertising fraud probably aggravated you, if at all, for its Russian component. And you might think twice about using in-flight services, particularly if you have to swipe your credit card to get access.

Meanwhile, that massive distributed denial-of-service (DDoS) attack that took down much of the internet in October via the hacking of webcams and other vulnerable connected devices took down some websites, but it didn’t kill anyone.

How’s this grab you: Cybersecurity expert Bruce Schneier, testifying in November before House Energy and Commerce Committee, said that event exposed “catastrophic risks” in the growth of the IoT.

As Mike Orcutt wrote for MIT Technology Review :

Schneier and other experts testified that the same poor security exists in computers making their way into hospitals, including those used to manage elevators and ventilation systems. It’s not hard to imagine a fatal disaster, which makes it imperative that the government step in to fix this “market failure,” he said.

Indeed, a December 1, 2016, report prepared by the Obama administration’s nonpartisan Commission on Enhancing National Cybersecurity takes a more neutral tack, observing, “Technology companies are under significant market pressure to innovate and move to market quickly, often at the expense of cybersecurity.”

Its first recommendation for President-elect Trump emphasizes public-private cooperation:

The private sector and the administration should collaborate on a road map for improving the security of digital networks, in particular by achieving robustness against denial-of-service, spoofing, and other attacks on users and the nation’s network infrastructure.

In addition to imperfect market incentives, cybersecurity is a fragmented industry, with literally hundreds of products and services across tens of separate categories. And threats multiply as fast as malefactors can ideate them.

Establishing “a road map for improving the security of digital networks,” let alone finding a vehicle to generate profits for your portfolio, is not a straightforward task.

We’ve identified three vehicles in this space, including the PureFunds ISE Cybersecurity ETF ( HACK ), Imperva Inc. ( IMPV ), and NetScout Systems Inc. ( NTCT ).

We’ve also written up DDoS specialists Nexusguard Inc. and Zenedge Inc. as well as website protection/performance outfit Cloudflare Inc., all still privately held.

In addition to imperfect market incentives, cybersecurity is a fragmented industry, with literally hundreds of products and services across tens of separate categories. And threats multiply as fast as malefactors can ideate them.

Performance has been generally mediocre, with the PureFunds ETF up 3.6% since August 16, versus a 3.7% gain for the S&P 500 index, 4.2% for the Nasdaq Composite, and 11.4% for the Russell 2000 Index.

Imperva is up 2.3% since October 27.

NetScout is the valedictorian of our small-cap cybersecurity suite so far, with a gain of 11.3% since our first mention in the October 27 issue, versus 6.1% for the S&P 500, 4.5% for the Nasdaq, and 14.9% for the Russell 2000.

NetScout is virtually ubiquitous, serving, by its accord, 90% of the world’s Tier 1 internet service providers, with “visibility into one-third of global internet traffic.”

As we noted on August 16, the next president of the United States is going to face a serious cyberthreat, “a massive internet disaster.”

It’s going to come from the IoT.

Let’s hope that road map starts at Trump Tower.

Money Quote

Brian Krebs, proprietor of KrebsOnSecurity.com, former cybersecurity columnist for The Washington Post , and author of New York Times best-seller Spam Nation: The Inside Story of Organized Cybercrime – From Global Epidemic to Your Front Door , has more good advice on how to protect your cyber-self:

Krebs’ Number One Rule for Staying Safe Online: “If you didn’t go looking for it, don’t install it!
Krebs’ Rule #2 for Staying Safe Online: “If you installed it, update it.”
Krebs’ Rule #3 for Staying Safe Online: “If you no longer need it, remove it. “

Please see all of “Krebs’ 3 Basic Rules for Online Safety.”

David Dittman