Cybersecurity and the IoT: A Guest Lecture at Lund University

September 30, 2022September 30, 2022 / bugejajoseph / Leave a comment

Today, I was invited to give a two-hour guest lecture about cybersecurity and the IoT to Lund University students. I introduced students to some state-of-the-art attacks that target IoT devices, networks, and services.

Everything can be a target when connected to the Internet, from a benign-looking device like a smart light bulb to a sophisticated system such as an electric car. Most of these things (which are often called smart objects) tend to be connected to public clouds, making them prone to remote attacks, ranging from misconfiguration to hijacking of accounts to malicious insiders, and more.

I also highlighted that it appears to be a growing trend that fewer vulnerabilities are being reported by various nations than before, specifically fewer vulnerabilities being reported by China. This could suggest that certain nations are covertly stockpiling vulnerabilities in order to strategically exploit them, perhaps for espionage purposes, but also for more nefarious purposes.

Anyway, in case you want to learn more about cyber security and the IoT, you are welcome to get in touch.

The FTC wants to crack down on mass surveillance

August 17, 2022August 16, 2022 / bugejajoseph / Leave a comment

The practice of gathering, analyzing, and profiting from data about individuals is known as commercial surveillance. Due to the volume of data gathered by some companies, individuals may be vulnerable to identity theft and hacking. Indeed, the dangers and stakes of errors, deception, manipulation, and other abuses have increased as a result of mass surveillance. The Federal Trade Commission (FTC) is seeking input from the general public on whether additional regulations are necessary to safeguard individuals’ privacy and personal data in the commercial surveillance economy.

I advise you to attend the open forum on September 8, 2022, particularly if you are a researcher focusing on the topic of privacy and security. Also, if you are developing your own system or perhaps planning your next research project, I highly recommend you look at some of the topics identified by the FTC as these are likely to affect the design of your project. Here are the topics mentioned: “Harms to Consumers”, “Harms to Children”, “Costs and Benefits”, “Regulations”, “Automated Systems”, “Discrimination”, “Consumer Consent”, “Notice, Transparency, and Disclosure”, “Remedies”, and “Obsolescence”. Pay particular attention to the topic “Automated Systems” if your system uses AI/ML technologies.

More information can be found here: https://www.ftc.gov/legal-library/browse/federal-register-notices/commercial-surveillance-data-security-rulemaking and https://www.ftc.gov/news-events/news/press-releases/2022/08/ftc-explores-rules-cracking-down-commercial-surveillance-lax-data-security-practices

Popular smart home brands may be allowing the police to conduct warrantless home surveillance

August 1, 2022 / bugejajoseph / Leave a comment

The security cameras in our smart homes from well-known smart home brands like Amazon and Google might not just be watching over our pets. According to an article in The Verge, they can also aid law enforcement in their investigations of crimes, but only if we do not mind the police viewing our footage without a warrant.

That implies that the police can access our private information without first presenting proof that an emergency situation exists. Police will probably only make use of this access for lawful objectives, such as preventing crime or attempting to locate a missing person in need of assistance. However, it does raise some issues regarding what may transpire when this technology becomes even more widely used and available.

What if, for instance, this access is utilized to locate and detain activists or protestors who have not breached any laws? Citizens may only exercise caution when shopping, be aware that their smart device may record personal information, and, if possible, enable end-to-end encryption.

If you have any questions about how to secure your smart home, do not hesitate to contact me.

IoT Cybersecurity: Two New Documents Published by NIST

July 2, 2022July 1, 2022 / bugejajoseph / Leave a comment

As an IoT practitioner or device manufacturer, it is important to keep up with the latest developments in IoT cybersecurity. The National Institute of Standards and Technology (NIST) has recently released two draft documents for public comment that are relevant to the IoT.

The first is a discussion essay titled “Ideas for the Future of IoT Cybersecurity at NIST: IoT Risk Identification Complexity“. This discussion paper lays the groundwork for forward-looking talks on detecting and addressing risks for IoT devices by drawing on NIST’s earlier work in cybersecurity for the IoT (for example, NISTIR 8259).

The second is a draft NIST Internal Report (‘NISTIR’) 8425 titled “Profile of the IoT Core Baseline for Consumer IoT Products“. NISTIR 8425 recalls the consumer IoT cybersecurity criteria from NIST’s white paper on “Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products,” and incorporates them into the family of NIST’s IoT cybersecurity recommendations.

I recommend you keep tabs on these documents, particularly NISTIR 8425.

Corporate Security Standards, Best Practices, and Frameworks

February 17, 2022February 17, 2022 / bugejajoseph / Leave a comment

Effective information security management involves the use of standardized frameworks to guide decisions pertaining to security. All organizations have a responsibility to safeguard their information assets and reduce risk by using well-defined frameworks that are supported by corporate standards and best practices.

Over the years, many such standards, best practices, and frameworks have been developed for supporting information security managers. Along with ensuring that correct security controls are implemented, it is also important to be able to build and develop the business, IT, and security processes in a systematic and controlled manner. The security controls can be seen as the objects, and the processes are how these objects are used.

A simple depiction of the different security standards, best practices, and frameworks is shown below.

If you wish to learn about any of the above, please get in touch. You are also invited to suggest themes for me to write about.

The Ultimate OSINT Collection

February 10, 2022 / bugejajoseph / Leave a comment

For threat agents, reconnaissance (scouting) and gathering intelligence are vital. The aim is to get as much information about a potential target, as possible. With that information, they can exploit any weaknesses in a system or an individual, which will allow them to gain access to a system. One type of data that is often overlooked by victims and hackers alike is publicly available data. The collecting and analysis of data acquired from open sources (overt and publicly available sources) is known as open-source intelligence (OSINT). Some examples of OSINT are social media, forums, news, blogs, public data and reports, and other publicly available materials.

Red or blue, OSINT could effectively assist threat agents and researchers alike in discovering dark places that they may be unaware of. It allows them to create attack scenarios for red teams or hypotheses for threat hunting. Most cybersecurity initiatives, in my opinion, should include OSINT; a service that is often overlooked. A fantastic one-stop shop for the best OSINT content is compiled by @hatless1der and is available at the website: https://start.me/p/DPYPMz/the-ultimate-osint-collection.

Investigative tools/resources collection from Hatless1der OSINT collection.

Please remember to get in touch if you want to learn more about cyber security research and OSINT.

Cyber Threat Maps

January 27, 2022 / bugejajoseph / Leave a comment

A cyber threat map, sometimes known as a cyber attack map, is a live map of current computer security attacks. These maps allow one to observe attacks as they pass through countries and continents. The majority of the cyber threat maps resemble video games, with colorful light beams indicating attacks from one region of the world to another.

Cyber threat maps can be highly useful in examining past attacks in terms of locations, volumes, and patterns. They can also help someone who is just starting out in their studies to acquire a sense of what is involved in the intricate world of cybersecurity. Last week, I had my introductory lecture on cyber security at Malmö University. I used cyber threat maps in my lecture to help raise awareness of how prevalent cyber security attacks are.

Here are three of my favorite cyber threat maps (listed in no particular order):

• Check Point ThreatCloud Live Cyber Threat Map

• FireEye Cyber Threat Map

• Kaspersky Cyberthreat Real-Time Map

If you want to learn more about the topic of attack detection and how cyber threat maps work, you are welcome to get in touch.

Where are we today with IoT Security Standards?

January 9, 2022January 1, 2022 / bugejajoseph / Leave a comment

IoT security standards are necessary because the IoT is fundamentally insecure. It is hard to predict whether or not an IoT device will be hacked, and even if it is, what data will be compromised. There must be defined criteria for security standards for this technology to evolve responsibly without introducing new problems. Here is a quick rundown of some of the most recent security standards.

In the United States, in December 2020, the IoT Cybersecurity Improvement Act of 2020 was signed into law. This is the first piece of IoT legislation in the US aimed at ensuring that federal agencies only buy IoT devices that adhere to strict security protocols. A new cybersecurity standard for consumer IoT (ETSI EN 303 645 V2.1.1) products was introduced in the European Union in June 2020. The purpose of this standard is to encourage better security practices and the use of security-by-design concepts in the creation of new connected consumer products. The Department of Culture, Media, and Sport in the United Kingdom announced new measures also in June 2020 to protect users of internet-connected household devices from cyberattacks. They implemented a product assurance scheme that requires certified IoT devices to bear an assurance label or kitemark indicating that they have completed independent testing or a thorough and accredited self-assessment process.

When it comes to the IoT, one of the most crucial considerations is security. As the IoT grows more intertwined in people’s lives, security standards are required to keep it safe from hostile attacks and prying eyes. There is so much that can be done to improve IoT security, and this is an opportunity for bright minds to get together and influence the IoT’s future.

Finally please remember that you are welcome to contact me and suggest themes for future posts.

The Internet of Things and Security

January 2, 2022December 27, 2021 / bugejajoseph / Leave a comment

The Internet of Things (IoT) is changing the way we live. The IoT is the idea of having devices that are connected to each other and can be controlled via the Internet. Cameras, refrigerators, alarm systems, televisions, and other electronic gadgets are examples of such devices. The IoT has contributed to giving people an improved quality of life.

But how can we put our trust in all of these IoT devices? How can we be sure they will not turn against us? How will we know whether or not the device we are utilizing is safe? All of these questions are key to unlocking growth in the IoT.

IoT devices can be both, physical and virtual in nature. They can have a variety of different functions, from being a simple remote control to being a complex system that monitors the environment, collects data, and sends it back for analysis.

Many people do not realize that their smart home devices may contain security vulnerabilities that hackers could exploit. Hackers can enter a smart home or even switch off the power by exploiting weaknesses in IoT devices such as connected door locks and lighting systems. For instance, over the course of one week, a study by the UK-based consumer group Which? discovered 2,435 malicious attempts to enter into devices with weak default usernames and passwords in a fake “smart home.”

Cybersecurity is a critical responsibility for organizations of all sizes, but manufacturers, in particular, must do more to ensure that IoT devices are secure from hackers and do not endanger consumer lives. Recently, in the UK, the Product Security and Telecommunications Infrastructure (PSTI) Bill was introduced subjecting stricter cybersecurity rules for manufacturers, importers, and distributors of IoT technologies. This new legislation intends to better protect consumers’ IoT devices from hackers, as well as help the IoT market get the trust it needs to reach its full potential.

If you would like to learn about IoT security and how to safeguard your IoT devices, please get in touch.

My Lecture about the IoT and Data Privacy

December 16, 2021 / bugejajoseph / Leave a comment

We live in a world where even brushing our teeth can constitute the transmission of data to servers across the world. One day, we will sleep with smart pillows that will be able to detect our stress levels and send them to an app on our phone. We already wear fitness trackers all day, every day. What does this mean for our privacy? This is what I talked about during my 2-hour guest lecture at Malmö University on December 15.

The Internet of Things (IoT) is all around us, and with it comes an increased risk of privacy and security breaches. In the age of the IoT, we must be cautious about the information we make available to the public or share with shops and manufacturers. We must also consider how businesses may exploit personal data to discriminate against us or charge us extra since they have more knowledge about us thanks to these devices.

Please feel free to get in touch if you need any information about privacy, security, or related topics.

Joseph Bugeja

Security, Privacy, and Trust

security