Feeds:
Posts
Comments

The Deep & Dark Web

TV shows like CSI: Cyber and others talk about the Dark or Deep Web. What is it?

They are actually two related but different things.

The Deep Web, aka Deep Net, Invisible Net or Hidden Web, is that part of the Internet that is not indexed by standard search engines. When you do a Google or Yahoo search, for example, you will never see anything located in the Deep Web.

The Deep Web is several orders of magnitude larger than the searchable part of the World Wide Web. We only skim the surface of total available content. This surface metaphor is why it is called the Deep Web. What is in the Deep Web?

  • Websites that are not registered with any search engine. This could be deliberate as a company is building their first web site. They want to be able to view it and make sure it is working as desired, but do not want just anyone to stumble across it. It could also be an accident: the web builder forgot to register it with search engines.
  • Dynamic content or pages returned in response to a query or accessed only through a form. Some process creates dynamic content web pages at the time the page is displayed in the browser, usually based on information provided in a user request or information stored about the user. One example that you often see is the current view of your shopping cart for an online purchase.
  • Unlinked content, pages that are not linked to from any searchable page. Search engine web crawlers usually cannot find those pages.
  • Scripted content, pages that are accessible only through links produced by JavaScript and similar mechanisms.
  • Pages that contain encoded data or special file formats that are not recognized by search engines.
  • Web archives.
  • Private web sites that require registration and login.

The Deep Web itself is not evil but a natural result of the development of the Internet. A significant number of web sites deliberately have content in the Deep Web to control access to sensitive or proprietary information, or as part of their ability to provide custom information tailored to specific visitors. In general, you cannot tell if you viewing something from the Deep Web.

The Dark Web is part of the Deep Net that exists on what are called darknets. A darknet overlays the public Internet and requires specific software, configurations or authorization. Dark Web sites often use non-standard communication protocols and ports.

Protocols are the rules that allow two or more network devices to communicate. There are dozens of network protocols, several you have used. TCP (Transmission Control Protocol) is the basic communications protocol used to support Internet communication. Other protocols often run over TCP, like IP (Internet Protocol), FTP (File Transfer Protocol) or HTTP (Hypertext Transfer Protocol). A port is the logical construct of one end of a communication. The first 1,024 port numbers (0 through 1,023) are defined. For example, port 80 is used for the HTTP protocol used for the World Wide Web. There are over 65,000 possible port numbers. Most firewalls block unknown ports unless individually overridden.

Primarily for security reasons, Darknets were originally implemented in the 1970s to be isolated from the ARPANET, which was the origin of the Internet. By 2002, the Dark Web was used for multiple and often illegal purposes:

  • Protect information from targeted and mass surveillance.
  • Protect dissidents from political reprisal.
  • Support whistleblowing and news leaks.
  • Support computer crime.
  • Provide a market for restricted or illegal items.
  • Support file sharing, often in violation of copyright laws.

You will probably never see anything from the Dark Web. Because of the special programs required to access it, it is very difficult to get to the Dark Web without meaning to.

The last word:

The Deep Web is a normal part of the World Wide Web. You are often accessing information from the Deep Web without even knowing it.

You should, however, be concerned about the Dark Web. You, your employees or your children cannot accidentally access the Dark Web. It requires specialized software, not just your favorite browser. That software is, however, available on the searchable web and often free.

For your business, the best defense is a strong network defense strategy and policy. You should limit the protocols and ports available in your internal network to only those necessary for to run your business, and audit those defenses at least once a quarter. Your security policy should require any BYOD (Bring-your-own-device) must also be similarly protected, and prohibit any employee from accessing the Dark Web from any device that is also used for company business.

As for your children, as with many subjects the best defense is conversation. Make sure that they understand the danger of the Dark Net. It is not a safe place to play.

Comments solicited.

Keep your sense of humor.

Walt.

While the US government has never been very good at protecting our personal information against cyber attacks, the Obama Administration has set records for incompetence in the area of data security. The current score: F.

Here are just some of the breaches that have occurred under the current administration. I am sure I have missed some.

  • Individual rogue employees and contractors, including Edward Snowden, have made public information on more than 2.4 million government personnel available to the media.
  • Tricare, the US military health program, had 4.9 million records stolen from unencrypted backup tapes (Sept. 2011).
  • Stratfor, a global intelligence firm serving the US Government, had 860,000 records stolen by the hacktivist group AntiSec (Oct. 2011).
  • The US Navy Criminal Investigative Service had a breach involving 220,000 military personnel from the database that managers transfers of service members for all branches of the US military (June 2012).
  • The National Oceanic and Atmospheric Administration (NOAA) had a data breach in 2013 that they have not investigated because the data was stolen through a contractor’s personal computer. As of a July 2014 report, NOAA does not know what data was stolen and whether it involves any personal information.
  • The Department of Energy had 104,000 records from their Employee Data Repository database (July 2013).
  • USIS, a company that conducts background checks for the Department of Homeland Security, reported a cyber-attack that impacted 25,000 people (Aug 2014).
  • The U.S. Postal Service had a breach involving the loss of names, Social Security numbers, and addresses that impacted more than 800,000 personnel (Nov. 2014).
  • The State Department has shut down its unclassified email system (Mar. 2015) because of a cyber-attack linked to a breach at the White House (Oct. 2014). This on top of the illegal actions of Hilary Clinton and her staff while she was Secretary of State and after she resigned.
  • The Internal Revenue Service had a data breach that involved the detailed tax-return information on 104,000 taxpayers (May 2015).
  • The Office of Personnel Management, which keeps track of every US government employee and contractors, has had two breaches since July 2014 involving at least 21.5 million individuals. Also potentially impacted are job applicants for federal jobs. Because this database was used for background checks for individuals, spouses and co-habitants, immediate family, close contacts and references could also be impacted. If you may be impacted by this OPM data breach, there is more information here.

Many of these attacks appear to be “practice” attacks. Cybercriminals started by seeing what they could attack and what data they could access. It was only after their success at that stage did they advance to turning a profit from these activities. It did not take them very long to go from “well, that worked” to full-scale general attacks and, more recently, to more focused attacks.

But the larger concern is that stealing the data may not be the real objective. The access to our government’s sensitive data that our enemies have demonstrated with these attacks also gives our attackers the ability to change or remove the data. Image the impact of an attacker deleting around 100 million individual and company records from the IRS databases. Such an attack would be quickly identified, but the fix would not be quick. Even worse would be the impact of making random changes to the data, for example changing filing dates or the amount of tax paid. Those changes would be exceedingly difficult to identify and correct. Image the damage such unauthorized changes could make to FBI, Department of Defense, or other security-dependent databases.

These attacks are not isolated and unusual events. Many of them appear to be organized attacks by other governments, especially China. As such they are acts of war. Our current administration has demonstrated a complete lack of concern and ignorance of the implications of these attacks. President Obama consistently appoints people to high positions who are either totally ignorant of data security or do not care about the welfare of the citizens of the United States, or both. OPM was not monitoring the security of their networks and data and were not encrypting data as required by federal regulations. These people, like Katherine Archuleta, the formal director of the Office of Personnel Management, should not be allowed to simply resign and seek another government job. They should be immediately fired and lose all government pensions, medical coverage, termination bonuses or any other government benefit. In some cases, and Ms. Archuleta is one such case, these so-called leaders should be tried for violating federal data security laws and fined or jailed as specified by those laws if convicted. It is past time for Congress to act to make the punishment fit the crimes these “leaders” commit.

The last word:

What do you do if you believe your personal data has been stolen or, worse modified? You are pretty much on your own. Unlike companies, government organizations do not have to provide any support or even notify you that your data has been compromised. OPM has stated they have notified impacted individuals, and you can request a suite of services including free credit reports. As always, you should be checking all of your financial accounts frequently, more often than once a month since in some cases you only have 30 days to report a problem. Consider using one of the “identity theft prevention” services. I use LifeLock Ultimate Plus, which monitors financial accounts. I get notification of a financial transaction that meets criterion I specify within 48 hours.

At the first hint of a problem, notify the government organization involved. If you do that online or over the phone, make sure you get a “claim number” so you can prove that you did notify them. If you do not get quick resolution, consult your financial advisor or lawyer and notify your Congressional representatives.

Comments solicited.

Keep your sense of humor.

Walt.

I have recently posted about autonomous vehicles replacing the long haul trucker and on the farm. The next place I see autonomous vehicles making a disruptive change will be in big city taxis. In 2014 there were over 51,000 licensed taxi drivers in New York City and just under 14,000 licensed cabs, each driving an average of 180 miles per shift. Over half of these cabs are hybrid vehicles.

The taxi industry is currently under attack by companies like Uber, which provides a trust-based TaaS (Transportation as a Service). If you want a ride in a city where Uber operates, use your Uber app and call for a ride. A nearby Uber driver can drive to your location and take you to your destination. Since the drivers rate the passengers and vice versa, each builds up a trust score, enabling each party to determine if they want to deal with the other before actually agreeing on the ride.

But autonomous vehicles will be a greater disruption to the taxi industry. Let’s fast-forward ten years and see what it will be like to get a cab in New York City.

Using your cab-app, which works almost everywhere in the world, you indicate the number of people, your destination, accessibility requirements, and whether you have a lot of luggage. In most hotels and major transportation hubs like airports, train stations, and bus terminals there will be kiosks that provide the same “call” service. You will get a receipt, printed by the kiosk or an image on your smart phone, that indicates where and when to meet the cab along with the cab number.

Based on what you asked for, you will get an appropriately sized vehicle up to as large as a 24-passenger van, with wheel chair accessibility, baby car seats, and luggage space as requested. Based on the destination, you will likely get an electric vehicle. The “standard” cab will be a small electric car with two seats and a space behind the seats for luggage. Simply scan your receipt at the cab door to unlock the cab.

On my first business trip to Mexico I noted that the taxi drivers in Mexico City were just like those in New York City: they drove crazily and didn’t speak English. Your autonomous cab “driver,” a disembodied voice, will speak and understand over 100 languages. Based on your desires, the driver can provide site-seeing information as it takes you to your destination, music of your choice, news updates, conversation on a topic of your choice, or blissful silence.

The cab system will be integrated into the public transportation system, providing the “last mile” connections to where you live or work. Your cab receipt could include your “ticket” for public transportation, with another cab waiting at the end of the subway or bus ride to take you to your destination.

Since they carry no money, these cabs cannot be robbed, nor can they be hijacked. The cab can only be accessed by someone with a receipt for that particular cab. Because they are linked through the Cloud and using GPS, the cab operating company always knows where all of their cabs are. The company can instantly, and probably automatically, react to changing load demands, putting more cars on the streets or bringing some home. The cabs themselves will automatically come “home” if they need to be recharged. It can go into any neighborhood, providing balanced coverage over the different areas of a city. As a rider, you know the driver is not under the influence of alcohol or drugs, or being distracted by texting or personal issues. One hot summer lunchtime, I took a cab in New York City. Every time the driver saw a pretty lady, he stuck his whole head out the window and said “Hi, beautiful!” There are a lot of pretty ladies in New York City. Somehow he got me safely to my destination.

These autonomous cabs provide an inexpensive, reliable way for people without cars to get to work, school, or health care facilities. I was a little surprised at a Pew Research Center report that smartphone dependency “is up sharply nationwide, particularly among lower-income households and those with fewer years of education.” Especially for those without broadband in their home, the smartphone is their only connection to online resources. Considering the importance of the Internet in finding a job and doing almost anything else today, I would hope that organizations, public and private, who are trying to help the unemployed or underemployed would consider providing a low cost smart phone plan for each client.

Of course it also provides the government the ability to see where you have gone. Our privacy laws need to be updated to account for all of the new and emerging technologies, from E-ZPass to RFID enabled credit cards to automated public transportation.

In this same ten-year timeframe, I also expect to see a sharp decline in car ownership or leasing in major cities. Autonomous cabs make intra-city transportation convenient and flexible, and eliminate the need to find parking spaces. It can take days for the city to clear all the minor streets in a city after a major storm. With significantly fewer personal vehicles in the city, it will be easier for the city to get the streets clear and maintain the roads.

The autonomous cab companies will also offer special weekend or longer rates, and will probably partner with major car rental companies to provide one shop service for everything from pickup for the weekend move to a large drive-yourself vehicle for that two week vacation to the mountains.

By that time, we will have companies providing complete Transportation as a Service (TaaS).

Like everything else in the Cloud, TaaS provides economies of scale for the large providing companies, and less expense for individuals and small companies as the TaaS providers take over every aspect of maintaining vehicles. I also expect many government agencies at all levels will opt-out of the expense of owning their own vehicles.

The last word:

Five years ago you were probably surprised when a perspective employer asked permission to check out your credit report as part of the employment process. Companies believed that your credit report might give them some different perspective into their risk of hiring you. This trend is dropping due to the Fair Credit Reporting Act restrictions on what they can actually see in a credit report. For example, a hiring company cannot see your credit score, and they can’t force you to provide permission to access it, although there is no way to determine what will happen to your application if you don’t. Ten states have outright bans or severe limits the ability of a perspective employer to access your credit report.

However, the next time you apply for a job, don’t be surprised if you are asked to provide access to your trust report. Today if you buy or sell things on Amazon, use Uber or any other trust-based Cloud service, you are creating a trust score within that company. Expect that within a few years there will be Trust Reporting companies like the current big-three credit reporting companies (Equifax, Experian, TransUnion). These companies will combine the trust information from all of the organizations you deal with and create your personal Trust Score.

If you think it is tough to get rid of an inaccurate entry in your credit report, imagine the experience of dealing with one in your trust report.

Comments solicited.

Keep your sense of humor.

Walt.

Last time I wrote about autonomous trucks disrupting the business of long haul trucking. But many of you may not be aware of the similar revolution in large-scale farming: what I call UFVs (unmanned farming vehicles).

We were a little ahead of schedule on a recent Midwest road trip. Since we were near Moline, Illinois, we stopped in at the John Deere Pavilion. John Deere was a blacksmith and general repairman in the village of Grand Detour, Illinois. He also made small hand tools for farmers like pitchforks and shovels. In 1837, John Deere created a self-scouring steel plow. Prior to his plow, a farmer would have to stop his horse every few yards to remove the stuck-on rich Midwestern soil; Deere’s plow eliminated this build up and was a key factor in the migration into the American plains in the nineteenth century. Deere also did business differently: instead of building his products when they were ordered, he built up a stock so his customers could see the plow, and load it up on their wagon and take it back to the farm. For 175 years, John Deere has been making state-of-the-art farm equipment for farms of all sizes and is now the largest agriculture machinery company in the world. You have probably seen a green and yellow tractor busily mowing one of your neighbor’s lawns.

The John Deere Pavilion we visited was for the other end of spectrum: the business or corporate farmer with more than a few hundred and up to more than 2,000 crop acres. As a point of reference, 640 acres is a square mile. For that size enterprise, a single tractor can cost about a quarter of a million dollars, with a combine coming in at over $500,000. But what you get with that today is pretty close to a UFV. With advanced GPS controls, the tractor can navigate the farm pulling cultivators and other equipment, overlapping rows by just six inches without the farmer touching any controls. The equipment will test the soil every few yards so when planting it knows exactly how much of what fertilizer to put down with the seed, significantly reducing the amount of fertilizer needed. This saves money, but more importantly reduces the environmental impact of farming by only using fertilizer where it is needed.

At harvest time, the up to forty-foot wide combine will cut the crop, again overlapping by six inches as it goes back and forth across the field. When one of its hoppers is full, it calls a tractor pulling a large wagon. The tractor runs alongside the combine and the combine unloads the full hopper into the wagon, then the tractor heads back to the storage area. All this while the combine is harvesting, and without the farmers on either vehicle touching anything.

These vehicles do not have the old metal seats of the nineteenth century tractor, or even the relatively comfortable seats of a lawn tractor. These vehicles have an air-conditioned cab, a seat that is as comfortable as any you might have in your office or even your living room, satellite radio, two touch screens to control the major activities and monitor the equipment, and a refrigerator. The equipment is designed to run 24 hours a day, with shifts of farmers on board for eight to twelve hours at a time.

JohnDeereThis picture is of a combine with a relatively small header (the cutting and gathering attachment at the front). This one is only 22 feet wide. The orange dome on the top of the cab is the GPS unit. If you look carefully, you will see that the farmer is sitting back in the seat with his arms on the arm rests of the chair; he is doing nothing to control the combine. You might also note that the cab is level even though there is a slight slope on the ground.

Today there must be someone on board, primarily to monitor the equipment status but also for safety reasons like watching for rogue animals. The Pavilion had a prototype of a fully autonomous tractor: no cab, no seat. I expect we will see fully autonomous farm equipment working in the fields in the next couple of years. This equipment will be able to prepare, plant or harvest a large field without someone onboard. Eliminating the farmer on board saves a lot of weight and cost for the cab and environmental, safety, and manual control systems. It would also eliminate the need to have the cab held level for the comfort of the farmer.

riceHarvestLike with the autonomous long haul trucks, there will be an app to allow moving into and out of the barn, or onto a trailer for transport.

At the John Deere Pavilion was a much smaller harvester: a rice harvester, made exclusively in China and only sold in China. I was told that was the only one of its kind that was not in China. It is designed for the smaller rice fields in China. Notice the cab is not nearly as fancy, but the design is based on the needs of the Chinese rice farmer and will enable them to increase their productivity without the hard manual work of rice harvesting.

The last word:

Why does this matter? The United Nations’ Food and Agriculture Organization believes that food production must increase by 60% to feed the expected nine billion humans who will be alive in 2050. With today’s technology, one farmer can accomplish in one day what it took six or more farmers a week to do just twenty year’s ago. See a six-minute movie on how John Deere uses big data to help farmers improve productivity here.

I think John Deere’s vision is helping. The day before we got to Moline, a farmer came in to pick up two of their big harvesters, and would be back in a week or so to pick up the other four he ordered.

We literally would starve in the US without the improvements companies like John Deere have made since a single horse pulled a single plow blade at about 2 miles per hour.

Comments solicited.

Keep your sense of humor.

Walt.

Long haul truckers move a lot of America’s goods. You see the eighteen wheelers on the Interstates and you know those guys, and ladies, have been driving hours every day to get their load from point A to point B over distances of up to 3,500 miles. Often, when you are outside of a major metropolitan area on an Interstate, 75% of the traffic is long haul trucks. The U.S. Bureau of Labor Statistics estimates that there are 1.5 million long haul truckers on the road today, expected to go over 1.8 million by 2020. There are about 200,000 job openings nationwide for long haul truckers right now.

Why aren’t unemployed or underemployed folk flocking to these jobs? The median annual wage is almost $38,000, with some long haul truckers making more than $58,000 a year. That’s not bad for a job that does not require even a high school diploma. One hurdle is getting a CDL (commercial driver’s license). It can take eight weeks and $6,000 to earn one. Then the job is not for everyone. Many drive by themselves most of the time, and they often live for weeks at a time in the back of their truck in a space the size of a closet.

But I believe we are coming to the end of the long haul trucker. I predict that in ten years there will be virtually no long haul truckers, except for moving vans. Why? The first place autonomous vehicles will really take off is in long haul trucking.

We are in the very early stages of autonomous vehicles that can safely get themselves to a destination with no human intervention. Remember how long it took before there was reliable air travel. The first scheduled fixed wing air service started in January 1914, flying from St. Petersburg to Tampa, Florida, ten years after the Wright Brothers flight in December, 1903. That might not have been considered reliable transportation by everyone. We are almost to that stage with autonomous vehicles. The first real demonstration of an autonomous vehicle in the 2005 DARPA Grand Challenge. At this point, four states and two cities allow autonomous vehicles on the highway (Nevada, Florida, California, Michigan, Washington DC, and Coeur d’Alene, Idaho). There are still lots of hurdles to overcome, including cost, liability laws, and public confidence before autonomous cars are common.

The lack of confidence is caused by just thinking about all the things that can go wrong in an urban environment: children playing, pedestrians, bicycles, and manned cars going through red lights, making strange turns, trying to park, or just being distracted. Over a recent six-month period, Google’s self-driving cars have gotten into four accidents in California where there were only 48 autonomous cars. Google claims that the autonomous vehicles were not the cause of any of them. If we ever get to Google’s end point of no drivers in any car at anytime, then in theory there would not be any accidents, and certainly a whole lot less than there are today. Getting there will not be easy.

InspirationBut back to the long haul trucker. Almost the entire route is on the Interstate. Most of the distractions and dangers are removed by the design of the Interstate itself. No red lights, pedestrians, bicycles, cross traffic, parking, …. The first autonomous vehicle license plate for a self-driving big rig went to a Freightliner “Inspiration Truck” in Nevada. It still requires a driver to handle turns at red lights and parking, so there must be a person in the cab.

But I view that as a short-term situation. I believe that within five years there will be thousands of autonomous big rigs on the Interstates, each pulling up to three trailers, and driving 24 hours a day at 65 to 75 miles per hour depending on the specific stretch of highway. No drivers, no one in the cab, and in fact no cab at all. Local truckers will take the trailers to a special lot near an Interstate on ramp, where an autonomous truck will be assigned to take that trailer to another special lot outside the destination city. There, another local trucker will pick up the trailer and drive the last ten to fifty miles.

In ten years there will only be autonomous long haul trucks on the Interstates. Near major metropolitan areas, those trucks will be shunted to the far left lane leaving the rights lanes for cars to jockey for space and exits without the trucks being the way. Imagine a line of trucks, each with up to three trailers, zooming long I80 south of Chicago at 70 mph and about 10 feet apart. When another long-haul truck pulls on the Interstate, the line of trucks will make space for the new truck.

The benefits to the trucking companies are obvious: no drivers to pay, no down time for the truck due to required rest breaks, and safer highways. The trucks will also be lighter, not having to have a cab with comfortable seats, air conditioning and heating, driver safety engineering and expensive manual controls. It will also be almost impossible to hijack an autonomous long-haul truck.

How do you back it up to pick up trailers, move it into a service bay for maintenance, or move it off the highway in an emergency? There’s an app for that. Someone can walk beside the truck for close in maneuvering using a tablet. The trick will be so that it only works when the person is close and has the “keys” to the truck.

But not moving vans. They will, I believe, still have actual drivers, if for no reason other than the families like to see a familiar face when the moving van pulls up to their new house.

The last word:

The impact will be on more than the over one million long haul truckers. Major truck stops along the Interstate will see their business change from servicing drivers to the rare servicing of an autonomous truck with a problem. It won’t be selling fuel: the trucks will be filled up before the journey with enough fuel to get to the destination point. You should expect to see many of these truck stops go out of business.

Along with the adult stores that also serve the truckers along the Interstates, like the Lion’s Den chain of 40 shops along the Midwest Interstates, some with gas stations.

Comments solicited.

Keep your sense of humor.

Walt.

Google has created contact lenses that can monitor your glucose levels for diabetes control. Fitbit and Jawbone’s Up monitor functions like heart rate, calorie intake and sleep patterns. MC10 created BioStamp, a digital tattoo to collect data on body temperature, hydration levels, UV exposure and more. Proteus has developed a pill with sensors that work with a patch on the skin to measure a range of bodily functions. Or it can tell your doctor that you forgot to take your medicine.

All of this data can be uploaded, hopefully only to someplace you trust.

RFID-chip The next obvious step is already in use in Sweden: a chip implanted under your skin to allow you access to your office building, a cup of coffee, or the copier. Wave a hand to get entry, pick up your phone or tablet to unlock it, wave at your bicycle to unlock it, and soon pay for lunch in the cafeteria.

The implant is an RFID chip the size of a grain of rice. The chip has no battery: it is powered by the radio energy transmitted by the reader. All it contains is a unique number. The building’s servers are told which chips are allowed to open each door, make a copy on a particular copier, or what checking account to debit for lunch.

The Swedish Biohacking Group BioHyfiken manages this particular experiment at the Epicenter building complex in Stockholm. They view this office building as the start of something big. As Hannes Sjoblad, Epicenter’s chief disruption officer and a member of BioHyfiken said, “We want to be able to understand this technology before big corporates and big government come to us and say everyone should get chipped — the tax authority chip, the Google or Facebook chip.”

The Epicenter systems require that the chip be virtually touching the reading device, which sometimes means getting your wrist twisted to just the correct angle. But the range of these passive RFID chips can be up to 12 meters (almost 40 feet). For practical access control and security reasons you probably want to only read chips that are very close to the reader in order to only open a door you are really going to enter, not just because you walk by down the center of the hall. These chips are very inexpensive, currently about US$0.15 each. Expect that price to drop by at least 50% over the next couple of years.

But RFID is the technology that works with E-ZPass, the northeast US gadget that lets you drive under a road sensor at 65 miles per hour to pay road tolls without stopping, or the more complicated transponders used for PrePass to allow trusted truckers to bypass the long lines at weigh stations.

The uses of this kind of technology are as wide as your imagination. I once worked on a school attendance recording and reporting system that had to keep track of student’s attendance down to the tenth of an hour. If each student had an implanted chip, we could have easily captured when he entered and left the room, eliminating a lot of manual and error-prone effort by the teachers or aides. It would also have been difficult for a student to cheat by having someone else attend in his place.

For health care, having an embedded chip would allow any health care provider to immediately access that individual’s health care data even if the patient had no identification and could not respond to questions. This could eliminate the check-in process, whether for a normal office visit or a ride in an ambulance, and help in correct administration of medicine and procedures.

US Passports, along with those of many other countries, now contain a chip that is really a computer with its own storage of biometric and other identification data. A chip-enhanced passport goes by many names, including “biometric passport”, “e-passport” and “digital passport”.

It is reasonable to assume a future where every child is implanted with a chip at birth, and that chip becomes the driver’s license, voter registration, credit card, and health record for the individual until they die.

What do you think of this future? Oh, and by the way that future is probably less than 10 years away.

The last word:

Security is a big issue, especially with simple RFID chips like those used in the Stockholm Epicenter building. It would be trivial to capture the id number from your chip with a reader hidden in the pocket of someone just walking by on the street. You would never know it happened, until the criminal created a duplicate chip and started using it. Suddenly, you can be placed at the scene of a crime when you were sleeping miles away, or have you bank account drained. It is possible to have fairly good security, comparable with what biometric passports have. But that comes at a higher price, and can still be compromised.

Speaking of passports, if you have a digital passport make sure you keep it in an RFID shielded sleeve except when actually in use. You are already doing that with any smart credit cards you have, right?

Comments solicited.

Keep your sense of humor.

Walt.

Last time I wrote about The Websense 2015 Treat Report and my key takeaways. One of those takeaways was that cyber attacks are more focused. Attackers are moving from being focused on an industry, like health care, to focus on a specific company, like Anthem. We are starting to see attacks that are aimed specifically at one organization within a company, targeting the people in that organization who are likely to have access to something the cybercriminals want.

Here is one interesting example from last year involving hacktivists. Hacktivists are cyber-criminals who attack a company not to gain monetary value but to impair the operation of the company. In this case, their targets were the few people in the company that managed the building security and environmental controls. From far away, these hacktivists locked the doors to the main server room and disabled the emergency override controls, then turned off the air conditioning and turned up the heat. The end result was a room full of physically destroyed computers.

How is this kind of specific attack done? Websense describes the seven stages of advanced threats.

  • Stage 1: Recon
    The first step is to determine at least one individual who has the access to the information you want. They start by using professional websites (like LinkedIn) to determine who works at the company and might be in the area in which they are interested. Then, through the use of personal and social media sites, determine others who might have the information they seek. They are also looking for the kinds of lures that might work with these selected individuals.
  • Stage 2: Lure
    Using the recon information, the cybercriminals create lures that can fool users into clicking on a link. These lures are dangled in emails and social media posts that appear to be from trustworthy sources.
  • Stage 3: Redirect
    When the lure works and the user clicks on the link, they are redirected to sites with malicious content such as exploit kits.
  • Stage 4: Exploit Kit
    An Exploit Kit will scan the user’s workstation looking for vulnerabilities which allow the delivery of malware including key loggers or other tools to enable further infiltration of the network.
  • Stage 5: Dropper File
    Once the Exploit Kit has discovered a path to deliver malware, the cybercriminal delivers a “dropper file.” The dropper file contains software to start finding and extracting data, and often includes additional capabilities to deliver other malware in the future, even after the existing vulnerabilities have been fixed. The dropper file may remain dormant for a period of time to avoid detection.
  • Stage 6: Call Home
    Once the Dropper File has infected the target system, it “calls home” to the hacker’s command-and-control system. Now the dropper file can download additional programs and tools, and get instructions. Now there is a direct connection between the cybercriminal and the infected system.
  • Stage 7: Data Theft
    At this point, the cybercriminal begins to collect the data. The data could be anything: intellectual property, financial, health or other personally identifiable data, or data that will enable additional attacks.

Not every advanced threat uses all seven stages. These same stages are also used in more general, less focused attacks.

Each of these stages provides a place to stop the attack. A prepared company has a kill chain against these advanced attacks that monitor and defend at every stage.

These attacks may be directed at the victim’s personal accounts, accounts with less protection and where the victim tends to be less careful. Also a victim’s personal computer may be more vulnerable to attack than the IT-controlled office workstation, but that personal computer may be used by the victim for work-related activities and thus may contain information useful to breaking-in to the office network.

The last word:

Today, you have the ability to use your smart phone to control your home thermostat and lock or unlock your doors. Just like the hacktivist example above, somewhere there is a group of hackers attacking you and the company that manages the communications with these devices. That company might be your Internet Service Provider (Comcast or Verizon, for example), or your home alarm company. If not already available, it will soon be possible to buy the access codes to a house or company or more likely subscribe to a BIaaS (Break-in as a service). For $1,000 the hackers will turn off the alarm, disable the video cameras, and unlock the back door at 2AM, then relock the doors, enable the video cameras and turn on the alarm at 5AM. They will know that you are away that night because they hacked into your newspaper’s database and noted your stop delivery request on your daily newspaper.

Welcome to our brave new world.

Comments solicited.

Keep your sense of humor.

Walt.

Follow

Get every new post delivered to your Inbox.

Join 117 other followers