Are You Being Stalked via Your Fitness Monitor?

In our October 2017 MicroOutlook, I wrote about the risks of the Internet of Things (IoT) and the accompanying management challenges to keep your organization safe. Here’s a fresh example.

This week news came out about an unexpected side effect of many popular Strava-enabled fitness trackers. These devices interface to your smartphone and compile activity data and give you all sorts of reporting. Sounds good, right? Except the latest version includes a heat map which gets uploaded to the manufacturer who makes it available on the Internet. And it shows the aggregated routes of all its users. Social media users quickly realized that this info could be used to figure out where Western military camps in the Middle East are located. Fitness conscious soldiers jogging about the bases’ perimeters were building up nice neat traces on the heat maps over time.

Remember, IoT presents many security challenges. You can’t simply say ‘It’s just a temperature sensor’ or ‘it’s just a fitness tracker’. Any device that gathers data and connects to either the Internet or a network has to be scrutinized before it’s deployed. And you have to monitor your network to make sure employees aren’t bringing in their own devices and attaching them to computers or data jacks.

If your organization needs help with managing IoT or security, contact us for assistance.

Everyone stay safe out there!


 

What Last Friday’s Denial-of-Service Attack Teaches Us

Most likely you were affected by last Friday’s DDoS attack.¬†Everyone awoke and found many popular Internet sites slow or unresponsive. This was due to a multi-pronged attack against Domain Name Service (DNS) provider DynDNS and on Amazon Web Services. Affected sites included Twitter, Spotify, Soundcloud, and many others.

Without getting into too much technical detail, a DDoS attack utilizes thousands of compromised systems to flood a service – in this case Dyn and AWS – with so much traffic that its servers are overwhelmed trying to respond to it. It took Amazon and Dyn a couple of hours to restore normal operations.

The exact cause and ultimate size of Friday’s attack hasn’t been pinpointed yet, but other recent attacks were conducted by¬†compromised Internet-of-Things (IoT) devices – think toasters and refrigerators with built in connectivity. I’ve been amused by the predictions of how IoT will take over the world without any problems when as yet we can’t even effectively manage security on the much smaller number of devices we already use. IoT devices use very simple embedded operating systems – most with minimal security – and many with undocumented embedded backdoor access mechanisms from their manufacturers.

So what can be learned? A couple of things.

First, a reminder. If you are 100% reliant on Cloud services, you have to be prepared for downtime and have a plan for how you’ll respond.

Second, be very careful with IoT devices on your business network. Heck, be careful with them on your home network. Most offer no option to monitor or manage what they are doing or what information they are collecting. If you have IoT devices that you want to leverage at your business, plan to deploy them securely on an isolated network.

Finally, consider updating your employee policies to cover bringing these devices into your organization. This is similar to employees bringing in their own wireless notebooks/tablets/etc., but now there can be many more varieties of devices.