Acreto IoT Security

The universally accepted rule is that the Information Technology (IT) team has the final say on all things technology — right? Not so fast! 

HTTPS is not Security. It's Privacy – and one of six fundamental security imperatives. Listen to the audio article by Acreto to find out more.

Why IoTs have created a security crisis and strained the communications infrastructure along the way. By Acreto IoT Security. 5G is coming! 5G is coming! But in the 4G LTE era where access is lightning fast, what is driving the push for 5G? 4G networks is a technology from the 2000's with one primary intent -- to enable mobile devices to take advantage of apps. In order for the apps, app stores, streaming and other services to be successful, mobile devices need to just plain work. This means they must work transparently, reliably and consistently for users to interface and interact with their apps and content. 4G solved the problem with 2G, which was data unusable, and 3G, that at best was used for email and some browsing in a pinch. To that extent, it has been a resounding success. However, connected devices have seeped into everyday life in a low-key and transparent way. So much so that the prevailing industry mantra is that "IoTs are coming". In reality, IoTs arrived long ago. Today, mobile phones are ubiquitous. So ubiquitous that the mobile phone market has all but saturated. However, IoTs that are perceived to be "coming" number twice that of mobile phones today (16 billion vs. 8 billion). Just think about how many smart devices are in your personal life already. All the smart TVs, smart thermostats, smart door locks and video doorbells, and more. Today, some version of anything and everything comes with an IP address. Tomorrow, everythingwill just be assumed to have an IP address. IoTs are used for measurement, reporting, monitoring, content dissemination, cost management or performing a variety of functions. And in many instances, technologies are IoT enabled due to plain old peer pressure. Everybody else is connected and we have to keep up with the Kardashians. Today, things that matter are connected - and there are a lot of things that matter. And we are well on our way on the trajectory for “connected everything” to be the standard. The exponential growth of connected devices has strained our communications infrastructure beyond its breaking point. This has driven the complete exhaustion of IPv4 addresses, which has forced unwilling network operators to fast-track transition to IPv6. Moreover, network operators have realized that much like IPv4, the 4G LTE network is cracking under the burden of connected devices. In reality, 4G just can't keep up with the scale trajectory and performance demands of IoT technologies. One of the key factors for 4G is that it is not decentralized enough. As decentralized as 4G networks are, they are still too centralized for the continuing increase in the volume of IoTs. There are three missing infrastructure elements that have to mature in order to fully support the scale, form and function of 21st century Internetwork of Everything. First, Scale - Comparatively, enterprise technologies are like a gorilla, emphasizing static tools, however, IoTs are like a swarm of bees. Completely manageable in small quantities, overwhelming in medium quantities and suffocating at full scale. Second, Form - In comparison to autonomous and network-centric technologies, IoTs are distributed and operate on many different public and private networks with dependencies on remote third-party operated applications and management. Third, Function - Today's standards-based technologies can be used in a variety of roles. Inversely, connected technologies are often small and resource limited, single-function devices that perform micro-functions. Connected devices, IoTs, cloud-enabled technologies or, whichever other name they may be referred to as, operate at a radically different scale, with radically different form and function characteristics. Ultimately, they demand a radically different technology infrastructure altogether. First, let’s talk about Addressing. The Internetwork of Everything requires each and every device, server, cloud, desktop and anything else that makes up the Internet – no matter how small – to have a unique identity. Today we primarily use the IPv4 addressing scheme. IPv4 has a maximum capacity of 4.2 billion addresses (4,294,967,296 to be exact). However, consider that we have over 8 billion mobile phones alone, and another 16 billion IoTs in use today, not to mention all the computers. The world has turned to tricks like Network Address Translation (NAT) in order to compensate, but these are just band-aids that are currently straining at the seams. IPv6 has been around since 1994 and in contrast to IPv4's 4 billion addresses, it sports 3.4 x 10 to the 38th power addresses – or 340 undecillion, 282 decillion, 366 nonillion, 920 octillion, 938 septillion, 463 sextillion, 463 quintillion, 374 quadrillion, 607 trillion, 431 billion, 768 million, 211 thousand and 456, to be exact. Its support for the next generation of IP addresses is adequate for the massive scale of IoTs – but, this also makes it more complex to configure. Many technologists have not had the "muscle memory" experience they have developed with IPv4. However, there are no IPv4 addresses left. Because of this, technologists are pushing to implement IPv6 on all their networks. All the major players have already fully implemented IPv6. Anecdotally, IPv6 is said to have as many IP addresses as we have grains of sand on the earth, which should serve us well in supporting the massive expansion of IoTs to near 50 billion in the next few years. Next, let’s talk about 5G Networks. 5G, as its name implies, is the 5th Generation of mobile networks. It has several advantages over previous generations of mobile network tech including scale, performance, and availability as well as demands on its constituent devices. Believe it or not, the highly decentralized 4G/LTE networks are not decentralized enough to support IoT and connected device platforms. It all comes down to density. The sheer number of IoTs are driving a level of density that can best be described by an "IoTs per square foot" model compared to today's devices per base station cell area. Making some broad, yet reasonable, assumptions, the average 4G/LTE cell tower today supports an area from a few miles up to 10 square miles. Each cell tower is supporting several thousand connections at up to one gigabit per second of data throughput. The number of mobile phones and IoTs in any cell area is starting to outpace the maximum connection or bandwidth capacity of the towers. At this rate it won't be long until portions of the infrastructure are fully saturated. Another factor that needs to be addressed is frequency spectrums. Currently, most mobile networks operate within the 700Mhz (Megahertz) to sub 3.0Ghz (Gigahertz) frequency spectrum. This sub 3.0Ghz spectrum is also becoming saturated, and will soon not be able to support the spectrum needed to support the volume of connected devices. This though, is where 5G networks really shine. 5G operates using a greater number of cell towers with smaller coverage areas each with the capability to support a greater number of devices. 5G also operates at much higher frequency ranges – from 3Ghz to 30Ghz. The additional range buys much more capacity for existing carriers as well as providing more operating room for additional more nuanced carrier networks. More carriers means more competition driving lower prices and more specialized service providers supporting specialty technologies. There is also more capacity and intelligence built into 5G. It uses cognitive techniques to distinguish between mobile and static devices to determine the best methods for content delivery to each network subscriber. 5G offers robust performance that meets or beats network bandwidth only available via fiber optic networks today. 5G has been tested in a lab up to an astonishing 1Tbps (Terabit per second) while still maintaining a real-world practical performance of 10 to 50Gbps. 5G's scale, capacity and performance is a game-changer. Finally, let’s talk about IoT Security. Aside from adequately scalable addressing and communications infrastructure, securing all of these distributed and diverse platforms that use them is another challenge that has to be overcome. Realistically, the combination of 1) unique identity for every individual technology that IPv6 provides, 2) the enhanced communications capacities and capabilities of 5G along with 3) the support for many to many communications that the combination of IPv6 and 5G offer, makes security not just important, but an imperative necessity. Today's security models are not adequate for the new generation of infrastructure. The challenge is that a whole new security model is necessary to support the IPv6 / 5G new generation of communications.  On-device security is not viable because the sheer volume and large variety of unique and purpose-built technologies that need to be secured create an uncontrollable hyper-fragmented jumble of security tools. This creates a patchwork quilt of security tools that organizations have to acquire, implement, integrate, operationalize, manage, troubleshoot and refresh. A complete non-starter! Network security tools just don't support mobile and distributed technologies -- the very thing that 5G enables. This is like trying to fit a square peg in the security round hole. Then there are the cloud-based IoT security companies. Securing distributed platforms from the cloud is very viable, except that almost all IoT security cloud plays are what is referred to as "You're Screwed" technologies. They are notification oriented technologies that collect logs from devices and analyze them to determine malicious behavior. Once malicious behavior is detected, they notify administrators who have to manually respond to each incident. This approach is reactive and not sustainable at scale. The Future of IPv6, 5G and IoT Security. IPv6, 5G Networks and IoT Security are the critical trio that have to work cohesively and effectively at scale to serve as the enablement platforms for a more prolific use of Internet-of-Things.  A shortcoming in any one of these areas translates to shortcomings in the overall solution. Today, IPv6 is well established and though not ubiquitous, it's close, and there is clarity on how to get it there. 5G is very much well on its way and the telcos have already started their 5G rollouts. Security still remains an unanswered challenge. Acreto recognizes the weakness in today's available security options and has developed a platform from the ground up to work hand-in-hand with IPv6 and 5G networks to empower and enable the Internet-of-Everything. Learn more about Acreto's platform on our website here. Also on our website, you can find links to the American Registry of Internet Numbers' (ARIN) notification to network providers of IPv4 address exhaustion, as well as another letter on how to deal with IP address depletion from the Number Resource Organization (NRO). Learn more or read online by visiting our web site: Acreto.io — On Twitter: @acretoio and if you haven’t done so, sign up for the Acreto IoT Security podcast. You can get it from Apple – Google or your favorite podcast app. About Acreto IoT Security Acreto IoT Security delivers advanced security for IoT Ecosystems, from the cloud. IoTs are slated to grow to 50 Billion by 2021. Acreto’s Ecosystem security protects all Clouds, users, applications, and purpose-built IoTs that are unable to defend themselves in-the-wild. The Acreto platform offers simplicity and agility, and is guaranteed to protect IoTs for their entire 8-20 year lifespan. The company is founded and led by an experienced management team, with multiple successful cloud security innovations. Learn more by visiting Acreto IoT Security on the web at acreto.io or on Twitter @acretoio.

Why We Did This – Facebook’s New Product: You. In a number of confidential strategy sessions with the Acreto Advisory team, led by Bob Flores, former CTO of the CIA, we set out to identify a number of potential mid to long-term threats that we should monitor. In studying the challenges that come with securing and adopting IoT technologies, and based on the complexities of how they operate and the dependency model that is established sociologically, we realized that Facebook, Google, and other similar tech giants are starved for data points. “It used to be that analysis of large amounts of data was limited to the biological capacity of the person. Computers didn’t used to have the processing power nor the algorithm and data sciences that they do today. Now, that’s not the case. The fact of the matter is that all these social media companies are data-starved. The more data points they have, the more they can absorb. There is no overload capacity for these social giants.” Babak Pasdar, CEO and CTO of Acreto Given recent events, and since we had one of the foremost experts in data collection in the world with us, when conversation turned to Facebook, we honed in on their data collection platform, where they are now and where they are heading in the future. We uncovered enough in that meeting to warrant a deeper dive into the Facebook machine. We studied the company, their practices, their history, their technology and even the psychology of its management team. We uncovered a lot of information and the more we uncovered, it made us want dig more. Through extensive research exploring investments, patents, acquisitions, market positioning and even management’s comments, we uncovered data that we thought was concerning. Pasdar explains, “We first became professionally interested in Facebook when we realized they have pinned their strategic future on IoTs. Where once Facebook’s information sources were limited to a handful of devices like computers and phones, with IoT integration they can collect much more granular data from hundreds if not thousands of sources.” Part of what makes addressing this challenge difficult is that the social media companies have features and functions that people want, and that they have built social environments that have become 21st century meeting grounds. These platforms are where the global community meets. All of the data points that IoT devices represent are a factor that can be difficult to overcome because there are these functionalities that may be highly desired or necessary for the social media perspective as it relates to people and our attitude towards ‘connecting’ with others. It’s really an all or nothing thing to have these features. What we’re doing, first and foremost, is identifying the problem. We are also offering organizations and consumers a balanced choice so that they can share the information they want to share, they can utilize the services of the platform in the granular way they desire to share or engage, and they are empowered and able to not give away the data that they want to protect or keep private. Facebook has proven it can be a kingmaker. Despite the company’s public relations lines, it’s clear that every party and every politician, for any seat, will engage in Facebook hacking. We define Facebook hacking as utilizing publicly available resources, along with coercion and manipulation of people, technologies and process to gain advantages. Advantages that can be for a cause, God, pocket book, or country. Facebook hacking is not just limited to politicians, but also extends to adversaries including those who wish physical and economic harm upon others. The stage has been set for compromising and manipulating entire communities. When thinking about securing IoT devices, we think like hackers do. How do we break it or steal it? How do we manipulate it or prevent it from functioning? How do we destroy it? These are the questions we can ask. Hacking is not direct or simple. Many times, hacking involves a complex orchestration of multiple components that typically has many permutations. When thinking through this, we realized first, how integral IoT devices are to social media, and second, the impact they have on privacy and on how we live our lives. If Facebook and Google can know as much about you as they do today with just a handful of devices such as your computer, your phone, or your watch, picture how much they would know about you and how they could manipulate you – and how they could manipulate societies, economies, or even democracies – when they have thousands of highly granular data points for each individual they track. Facebook’s reach is astounding. The organization collects a constant stream of data from one-third of the world’s population, and have their roots nestled in half of the world’s web sites. In Acreto’s Facebook Dossier, the team makes the case for Facebook as spyware and a personal information trafficker. Along with the dossier, Acreto is announcing new technology specifically designed to protect and prevent direct and indirect data leaks to Facebook and other data collection platforms such as Google, among others. Facebook’s New Product: You. Overall, the dossier explains how Facebook is intrusive for users and non-users alike. Most notably of recent events, the Cambridge Analytica scandal revealed a vast, deeply intrusive analytics manipulation with Facebook at its core. The extraordinary amount of private data collected from Facebook was used to target conservatives during the 2016 US presidential election. The information gathered from multiple testimonies to US and European legislators and regulators shed light on Facebook’s IoT strategy and sets the stage for intrusion of privacy of historic proportions. Nothing is more illuminating about Facebook’s strategy of data collection than their recent acquisition of Onavo, dubbed a “mobile data analytics company”, but in actuality, a ‘man-in-the-middle’ masquerade to collect, store and analyze all user communications for Facebook’s use, benefit, and profit. Facebook came, Facebook saw… and Facebook continues to conquer: this time, your IoT devices. “Cambridge Analytica is the canary in the coal mine to a new Cold War emerging online. Soon the so-called ‘Internet of Things’ will become the norm in American households. Algorithms will soon be driving our cars and organising our lives. This is not just about technology today, we have to seriously consider the implications for tomorrow. To put it bluntly, we risk walking into the future blind and unprepared.” Christopher Wiley, Cambridge Analytica whistleblower Cambridge Analytica and its parent company, SCL Elections, used a suite of political psyops tools in more than 200 elections around the planet. The vast majority of the targets were third world and underdeveloped countries, many without the resources or knowledge to defend themselves. These efforts were in preparation for their biggest effort to date: The US 2016 Presidential Elections. As we have rounded the corner for the 2018 mid-term elections, Facebook and their capabilities loom large, especially when there is no buy-in from the topmost echelon of political leadership. Your data is no longer your own. Facebook wants it all and they want it now to weaponize their most valuable product — The User. To read more about Russian nation state hacking of the US Elections and how cyberattacks come together, check out a two-part collaboration between Acreto CEO, Babak Pasdar, and former CTO of the CIA, Bob Flores, here. Learn more or read online by visiting our web site: Acreto.io — On Twitter: @acretoio and if you haven’t done so, sign up for the Acreto IoT Security podcast. You can get it from Apple – Google or your favorite podcast app. About Acreto IoT Security Acreto IoT Security delivers advanced security for IoT Ecosystems, from the cloud. IoTs are slated to grow to 50 Billion by 2021. Acreto’s Ecosystem security protects all Clouds, users, applications, and purpose-built IoTs that are unable to defend themselves in-the-wild. The Acreto platform offers simplicity and agility, and is guaranteed to protect IoTs for their entire 8-20 year lifespan. The company is founded and led by an experienced management team, with multiple successful cloud security innovations. Learn more by visiting Acreto IoT Security on the web at acreto.io or on Twitter @acretoio.

Bloomberg Spy Chip – Bullshit? This is Part 1 of a two-part investigative deep-dive into the accusations of Bloomberg’s recent article, ‘The Big Hack’. Written by Bob Flores, former CTO of the CIA, and Babak Pasdar, CEO of Acreto IoT Security. In a recent blog, Babak Pasdar highlighted a Bloomberg report that claimed China had embedded hardware spy chips on servers from Supermicro. Supermicro provides data-center servers used by many companies from small startups to the likes of Amazon and Apple. Bloomberg claims that the spy chips were discovered by a security auditor hired by Amazon AWS. This audit was part of an acquisition due diligence of Elemental Technologies, a platform specializing in multi-screen video processing. Bloomberg claims that Amazon and Apple are among the organizations impacted by the alleged Chinese spy chip. And one-by-one they have all denied that the story has merit. However, Bloomberg, a model agency in news reporting, has refused to offer any additional information or alternatively to pull the story. There is a lot about this story that doesn’t pass the smell test. If Supermicro servers have been compromised, it is a huge story. Though not a household name like Dell or HP, Supermicro is one of the top data center server platforms on the market. It is considered to be a good product with global availability at a fair price. In the article, Bloomberg makes a pointed accusation yet offers evidence that at best is vague. In the previous blog, we asked several questions: Who was the Security audit company that discovered the spy chip? How did they get access to schematics to do chip by chip validation of the hardware? Schematics that in any scenario would be considered trade secrets. If the spy chips were secretly installed by a Supermicro contractor as the article claims, who QA'ed the hardware and why was the chip not discovered during the QA process? Given the emphatic and detailed denials by both companies and the U.S. government, why has Bloomberg not released more detailed data to back up their claims? The implications are that China has backdoor access to countless systems, hosting applications and data, impacting thousands of companies and millions of individuals. The integrity of corporate, government and critical infrastructure is at stake – as well as personal data for large swaths of the population. Is This Realistically Possible? Bloomberg provided very little detail, and what they did provide was at best vague and not evidence-worthy. Based on the information they did provide, the industry take-away is that this vulnerability is via the server’s IPMI interface. IPMI is an always-on IoT embedded in a server to manage the hardware, even if the server is powered off. As presented, the IPMI platform can theoretically be manipulated to function as a back door, providing access to the server’s network, system memory and the system bus. You can learn more about this in Pasdar's previous blog on this issue on our website. Having said that, for Bloomberg’s vague spy chip explanation to work, you need a Supermicro motherboard with an on-board IPMI, and then many, many, many things have to line up for the compromise to work. First, an Internet accessible IPMI connection with stateful outbound access is needed -- something no self-respecting organization with even a moderately experienced infrastructure team would have. The chip Bloomberg presented in their article is just physically too small to store and execute the necessary code to fulfill its purpose, so it would also need to connect and download software from an external server. Hackers will never use an external server they own that references back to them. It would lead authorities right to them and there would be no plausible deniability. The server is most likely another compromised system on the Internet. Moreover, the external server's address isn't hard-coded into the chip. Compromised servers are disposable since the compromise may be discovered and addressed at any point – or the system moved or decommissioned. If this occurs, the entire effort of the compromise would be a complete waste. A process like fast-fluxing or something similar would be used to enable the spy chip to connect to an ever-changing botnet network of external servers. Fast-fluxing was specifically developed to control botnets without compromising the bot-master's identity. It is a technique where the spy chip and the external server would meet to communicate at a particular fully qualified domain name (FQDN) at a particular time. Many Different FQDNs spanning many different domains may be used to deliver content to the spy chip based on the then valid compromised IP addresses hosting the malware. The spy chip then needs to integrate into the server's OS, on-the-fly, during the boot process. This requires injecting the appropriate code for the specific OS used on the server. The OS could be one of dozens, if not hundreds of possible options since the Supermicro B1DRi motherboard that Bloomberg claims is compromised, is certified compatible for many different OSes and associated versions. This includes 32-bit Red Hat, SUSE, Ubuntu and FreeBSD as well as many versions of 64 bit Red hat, Fedora, SUSE, Ubuntu, Solaris, FreeBSD, Centos and Windows. Further, it also supports multiple hypervisor versions of VMWare, KVM and Xen Server, not to mention Amazon AWS's proprietary hypervisor. Each one of these OSes needs a different code. Even each version of the same OS may require an altogether different code to be injected into the compromised system. Consider how quickly the spy chip would have to act to intercept local boot code, determine the OS brand, distro and version from a smattering of code flying on a computer's bus, perform the fast-flux operation and fetch the appropriate compromise code from the appropriate server. All of this -- which is a lot -- needs to happen for the spy chip to work. Next Up: Bloomberg Spy Chip – Bullshit? Part 2: Let’s Break Down the Claims. Learn more or read online by visiting our web site: Acreto.io — On Twitter: @acretoio and if you haven’t done so, sign up for the Acreto IoT Security podcast. You can get it from Apple – Google or your favorite podcast app. About Acreto IoT Security Acreto IoT Security delivers advanced security for IoT Ecosystems, from the cloud. IoTs are slated to grow to 50 Billion by 2021. Acreto’s Ecosystem security protects all Clouds, users, applications, and purpose-built IoTs that are unable to defend themselves in-the-wild. The Acreto platform offers simplicity and agility, and is guaranteed to protect IoTs for their entire 8-20 year lifespan. The company is founded and led by an experienced management team, with multiple successful cloud security innovations. Learn more by visiting Acreto IoT Security on the web at acreto.io or on Twitter @acretoio.

This is Part 2 of a two-part investigative deep-dive into the accusations of Bloomberg’s recent article, ‘The Big Hack’. Written by Bob Flores, former CTO of the CIA, and Babak Pasdar, CEO of Acreto IoT Security. Bloomberg Spy Chip - Bullshit? Part 2 Now let’s break down Bloomberg’s claims further. In the article they present a graphical image of a Supermicro motherboard and strip away components until the spy chip can be seen. The motherboard they present is a Supermicro B1DRi with an AOC-GEH-i4M add-on module. As shown on the Supermicro web site, the B1DRi is designed to host up to two Intel E-2500 v3 slash v4 CPUs and up to 256 Gb of 288 pin DDR4 memory and can be mounted to a sled with its own hard-disks. However it is not a standalone server and needs to be mounted in a Blade Enclosure to function. The enclosure provides power, hosts a network switch and most importantly has a shared IPMI management board plugin. If the spy chip works through the IPMI, how can Bloomberg show the spy chip placed on the motherboard, when the IPMI for the board is an external module in the enclosure? It looks like the IPMI must be individually linked to each server blade to manage that blade. The IPMI IoT is an external module plugged into the enclosure and to be used, it needs to be individually assigned to each of up to 16 server blades in the enclosure. If that is the case then there is a 1 in 16 chance of compromising a server and even then, it would be opportunistic and inconsistent depending on which blade the IPMI may be set to manage on boot. Now – let’s discuss the chip Bloomberg presented in the article. If the insanity of the logistics to effectuate this hack is not enough to make you call Bloomberg’s story Bullshit, then their presentation of the spy chip should. The chip presented IS NOT A SPY CHIP, it is an RF Balun. A standard, off-the-shelf Surface Mount Device (SMD) that converts between balanced signals and unbalanced signals, hence the name Bal-Un. If you look at the Stesys or Farnell websites, they are two of the many component providers who sell them. You too can have one for a mere $1.67. And if the pictures were supposed to be mere examples of what a spy chip might look like and the type of motherboard it could be embedded on, they certainly did not present it that way. Also, consider that a motherboard is an incredibly complex piece of equipment. These types of motherboards need to be extremely high performance and extremely compact at the same time. This makes them extremely dense. They are almost always multi-layer boards where traces connecting the various electronic components exist on as many as a dozen different layers. And these systems are delicate, their operation requires the various electronic components to operate harmoniously. Frankensteining hardware to the system would be at the very least — challenging. The majority of people within a company involved in R&D, design, procurement, manufacturing and testing of the motherboards are often sequestered into groups with access that is limited to specific functional domains. Very few people have complete access to the designs and schematics for the entire board. And this almost never includes subcontractors or some small security company out of Canada doing technical due diligence for a mundane acquisition. Furthermore, the people charged with manufacturing are typically not the same people who do quality assurance (QA). The job of QA is to test every permutation of every function. We have to believe that QA’s most fundamental tests would catch something as overt as communications where the spy chip tries to identify, fetch and inject packets on-the-fly. The number of people that would need to be turned or paid off would be staggering. As many as 30 – 50 people would need to be engaged throughout the supply chain spanning multiple companies and countries. An amateurish and incredibly messy way to run a covert op. How Everything Comes Together. Because of the vague assertions, it is tough to argue definitively that any one aspect of the article is wrong, however when you put it all together: 1. We don’t know of many security companies that do reverse engineering on PCs as part of their due diligence. 2. Schematics are trade-secrets and almost never available for complex multi-layer motherboards. How could the security company have had access to schematics? 3. The sheer number of people that need to be involved in implementing the spy chips is staggering and doesn’t make sense for this type of effort. 4. The QA process, one known to be particularly meticulous, never caught the issue. 5. The ridiculous complexity of the hack where the sun, the moon and the stars have to align for it to work. 6. Not only is this compromise overt and easy to identify, but the vast majority of organizations have built-in defenses against this attack vector — especially Apple and Amazon. 7. The need for an Internet accessible IPMI network. 8. The need for the chip to fast-flux, connect to a remote system and pull-down compromise code while the system is booting. 9. The complexity of pulling a different code set on-the-fly for each of the hundreds of unique operating system and revision combinations. 10. The B1DRi motherboard being part of the blade system without any on-board IPMI, which can only be managed one blade at a time. 11. The vagueness of the charges and lack of any supplemental follow up, while Bloomberg continues to sit silent. 12. And trying to sell us that an off-the-shelf $1.67 RF Balun is a spy chip. For these reasons, many of us believe the Bloomberg story just doesn’t have a leg to stand on. Bloomberg has made explosive allegations. They have had a drastic negative impact on Supermicro’s stock price — down 50% as of this writing. Their story is barely, if at all, viable. The information they provided was amateurishly vague. Their silence in the face of the backlash speaks volumes. And yet they continue to stand by their story and not recant. Add Bob Flores and Babak Pasdar to the growing list of skeptics. If you have evidence, then present it and if you were conned it is understandable – but please stand up and own it. Learn more or read online by visiting our web site: Acreto.io — On Twitter: @acretoio and if you haven’t done so, sign up for the Acreto IoT Security podcast. You can get it from Apple – Google or your favorite podcast app. About Acreto IoT Security Acreto IoT Security delivers advanced security for IoT Ecosystems, from the cloud. IoTs are slated to grow to 50 Billion by 2021. Acreto’s Ecosystem security protects all Clouds, users, applications, and purpose-built IoTs that are unable to defend themselves in-the-wild. The Acreto platform offers simplicity and agility, and is guaranteed to protect IoTs for their entire 8-20 year lifespan. The company is founded and led by an experienced management team, with multiple successful cloud security innovations. Learn more by visiting Acreto IoT Security on the web at acreto.io or on Twitter @acretoio.

Russian Hacker Caught and Convicted: From US With Love. Written by Babak Pasdar, CEO and CTO of Acreto. A little while ago, a client called me in to do a security operations ‘best practices’ education session. They were a dot com site that had recently spun off from one of the major financials. They had not yet laid down their sec ops roots and were still engaged in establishing the fundamentals. They wanted an informal education session to get the entire team on the same page. Their conference room was packed with their security team as well as several people from their operations center, which I had requested. In many instances, the ops team is on the front line and often identifies and conducts the initial steps in handling security incidents. At some point during the session, I started to talk about scammers. One trick that malicious people use is to acquire domain names that are similar to the site they are targeting. Since the client was a financial and their site contained personal information for hundreds of thousands of consumers, and was an attractive target. I first recommended they acquire or actively monitor all sound-alike and similar domains. For example, if their domain name is jacks.com, spelled J A C K S, they should acquire or monitor the domains spelled J A X dot com and J A K S dot com. Second, I recommended that all permutations of domains that could be mis-typed by users should be acquired or monitored as well; specifically, any combination of surrounding characters on the keyboard for each letter that makes up their domain name. For example, if their domain name is abc.com, they should monitor domains where the ‘A’ in abc.com is replaced with S, X, Z, W, and Q. If a company wanted to take it a step further, they would cover the immediate two surrounding characters on the keyboard as well. Should users mistype, which they often do, they should not be directed to a look-alike site that they would innocently offer their credentials. Third, I suggested that the plural version of the words included in their domain name should be acquired and monitored. As I was making this third point, I typed in the plural of their domain name – and their site showed up. I thought I had made a typo, that through muscle memory I had entered in their correct domain name. I double checked, and I had typed exactly what I intended to type – the incorrect, plural variant. I was impressed. I thought to myself that they were ahead of me and had already acquired the plural domain and redirected it to their site. “Smart! You guys already got this?” I said to the group. I looked around the room and saw confused expressions all around. Finally, someone said, “I don’t think that we did – I’m pretty sure we didn’t.” After a Dig on the Fully Qualified Domain Name (FQDN) and an MTR (a better traceroute) it became clear that the site was not theirs. It looked exactly like their site including the login page. However, it was not using their IP block nor any of their ISPs. It traced back to Las Vegas, Nevada. Needless to say, the training session abruptly ended and became a real-life incident response. The organization’s executives, their general counsel, all security team members, and all IT managers and above joined an emergency meeting in the conference room. Anyone not on-site joined via conference bridge. During the meeting, their sharp help-desk manager offered that he had seen an increase in the number of calls for password reset requests in the past two weeks. We started connecting the dots. We came away from the meeting with several action items: • We needed to determine if there was a compromise, and if so, how many users it impacted and its duration. • The help-desk team set out to cross correlate password reset support calls and the date/time of failed authentication logins in their logs. • They would identify any users who called for a password reset whom had no corresponding failed login attempts in the logs. There was roughly a dozen dating back only two weeks. • The help-desk team contacted these users and established completely new identities for them. • My team was to implement an emergency infrastructure should the malicious person attempt to use the stolen identities. • I reached out to my contacts in the FBI cyber-crime team and reported the issue, and Agent Brown from the New York cybercrimes team was assigned to our case. • We contacted a law firm with experience in cyber crimes along with the organization’s retained counsel. • The legal team started to outline a notice as was required by compliance in preparation, should notifications be necessary. After this, my team members and I set out to execute on a plan to identify and catch the person. First, a honeypot. The compromised user credentials correlated by the helpdesk were redirected to a training system that looked and functioned just like their application, but contained dummy data. With this in place, the risk that any (more?) data theft, manipulation or deletion was mitigated. Then, we implemented a high performance packet capture system using a powerful server, hardware offloading network interface and several open-source tools to collect all communications from the malicious person/people. We made sure that the packet capture system was implemented and processed with proper evidentiary chain of custody standards. Finally, we configured the units to send us text messages as soon as any of the compromised accounts were accessed. We were finally ready to track the malicious people. In less than forty-eight hours we architected, acquired the highly specialized equipment required, and configured and tested the infrastructure. I then set out to document everything, including the operations runbook for these new systems, which included evidentiary chain of custody handling of any evidence collected. I personally spent near seventy-two hours straight at the customer’s data center hopped up on adrenaline and coffee. It’s rare to catch hackers and scammers, and I felt strongly that we had a good chance of doing so in this case. In the meantime, the FBI requested and received a subpoena for the IP address of the server as well as the domain name registrar. Fortunately, the ISP provided the physical address associated with the identified IP address quickly. Agent Brown called the FBI field office in Nevada and requested agents drive by and visualize the address location. A few hours later we received information that the address was actually a car dealership. The FBI agents in Nevada managed to trace the ISP connection to the basement of the dealership. When they inquired about the Internet connection, the dealership informed them that the basement was rented to another party who was hardly ever there. Technically, the malicious people had not done anything substantially criminal. So between the customer, the FBI and my team we decided to hang back and wait for the malicious people to attempt access to the customer system, and more importantly, to download personal identity information. There was no risk to any of the site users since the data the malicious people would access was made up training data. We didn’t have to wait long. At 3:00am early morning the following day my phone started buzzing with alerts. I quickly logged on to see what had transpired. Jackpot! The malicious people had logged on under three different accounts and had systematically accessed multiple identifies before generating a report that can only be identified as an identity theft starter kit. A quick check showed a Canadian IP address as the source. Every packet of the communications was collected and logged. We had all that was required to completely recreate and replay the malicious people’s entire effort. The session was short. It had only lasted 15 minutes. But it was all that was necessary. There were no other attempts that day. Early the following morning, we contacted Agent Brown and the cybercrime task force supervisor and arranged for collection of the evidence. During the call we also determined our next course of action. The FBI could have reached out to the Canadian authorities, but thought it best to try to lure the person to the US. The plan was that the FBI would get a court order to confiscate the computer in Las Vegas. If they spotted cameras they would simply disconnect the Internet connection at the Network Terminal outside the building. And then – the FBI surprised us. They had a person of interest in the case. They did not share many details about how they found this person of interest. Our best guess is that the person had been on the FBI’s radar, and had somehow been associated with the stolen identity which was used to fraudulently pay for the acquired domain name and the Las Vegas basement housing the computer. If all was to go as planned, the malicious person would think there is a technical issue and come to fix it. Later that morning the FBI Agent Brown came to our offices and we held an evidence hand-off ceremony. The next day we noticed that the scam site had gone down. Now there was not much else for us to do but wait. All was quiet for a while and life started to resume normalcy. Two weeks later we got word that there had been an arrest! It was a Russian whom a few days after the site had gone down had flown to Canada and from Canada to Las Vegas. He was arrested at the airport port of entry. Apparently, when presented with the evidence he made a plea bargain and soon after plead guilty at the hearing. The team’s dedication, professionalism and expertise drove this incident’s success. Both the customer and my team operated flawlessly together, and the FBI came through in a big way. At a time when hackers attack indiscriminately, it felt great to catch one and snag a win for the good guys. Learn more by visiting our web site: Acreto.io — On Twitter: @acretoio and if you haven’t done so, sign up for the Acreto Crypto-n-IoT podcast. You can get it from Apple – Google or your favorite podcast app. Next up -- read about Russian Nation-State Hackers and What We're Not Doing About It here! About Acreto IoT Security Acreto IoT Security delivers advanced security for IoT Ecosystems, from the cloud. IoTs are slated to grow to 50 Billion by 2021. Acreto’s Ecosystem security protects all Clouds, users, applications, and purpose-built IoTs that are unable to defend themselves in-the-wild. The Acreto platform offers simplicity and agility, and is guaranteed to protect IoTs for their entire 8-20 year lifespan. The company is founded and led by an experienced management team, with multiple successful cloud security innovations. Learn more by visiting Acreto IoT Security on the web at acreto.io or on Twitter @acretoio.

The Business of Security vs. Security of Business Written by Babak Pasdar, CEO and CTO of Acreto. The security industry has spent a lot of time over the past 30 years thinking of imaginative ways to put lipstick on today's cybersecurity pig. It's like a one hit wonder band who never adapted, playing the same song and putting on the same show over and over, even though their fans, the industry and the zeitgeist as a whole have evolved and transitioned. We are more distributed and mobile than ever. Yet the security industry remains unevolved, putting on the same show – playing their all-time favorites like “On-Device Security” and their mega-hit “Gateway Security”. Gateway security is an especially nuanced piece with broad range. There’s the firewall, intrusion prevention, VPN gateway, the proxy, url and content filters, and the component that binds them – SIEM. And that’s the consolidated version of a lengthier and more complicated original score. Compute has changed and continues to change dramatically in front of our eyes. Clouds, SaaS, Mobile devices and the big daddy of them all – IoT – are contorting traditional security models and tools in ways never intended – until something breaks. And today, everything is breaking since security as we know it dates back to the medieval ages. Let’s Get Medieval On Security. The king builds a castle (the network), puts a moat and draw-bridge around it (gateway security) and posts sentries at the gate with special instructions (security policy). Need to operate outside the castle? If you have the strength (compute resources) and are wealthy enough to afford it (budget), you can put on custom armor (on-device security) and head out as a knight (remote user). Being a knight is exhausting though. Yes, you are well protected, but it burns a lot of energy (security team resources). However, commoners have to assume risk and live in a state of constant vulnerability. Clouds and IoT have driven the vast majority of our functions and users to operate "outside the castle". In fact, the business of the king’s court is now distributed. Commoners live and work remote, never needing to step foot in the castle. There are even scenarios where some commoners operate and service other kingdoms near and far. When the court subjects are remote and distributed, the king has two options – insist on keeping the castle, moat and drawbridge or adapt. So far the security industry has bitterly resisted adapting. Why -- Tradition? Lack of alternatives? It's what they know? Or a combination of these. Gateway security still has its uses, however, the gateway security model is long in the tooth and its use-cases diminishing by the week. And on-device security has been an expensive, ineffective and unsustainable failure. How can you package up an entire data center's worth of security functions in a $5 sensor with the compute resources of a Timex watch. What the cloud started, IoTs have finished. In the past compute was network-centric, now it is distributed all over and even mobile. And we like it. Initially CISOs tried to control users by saying no to cloud and SaaS. Users wouldn't have it. They shrugged, walked away, and did it anyway. There was no putting that toothpaste back in the tube once they got a taste of cloud and SaaS. Compute and technology has been democratized, however the way we secure is still medieval. We have offered hackers the overwhelming advantage all the while spending billions and billions on security. Vendors continue to monetize on medieval security tools ill-suited to the new dominant compute model. How does this make sense? There are a few reasons: First, it's what people know and have bought into. There are 30 plus years of approaches and methods, tools and technologies, processes and performance indicators that have been developed around medieval security. It has become muscle memory for many who spent years honing their skills around these approaches. Just imagine if suddenly, through magical circumstances, the rule of thumb became NOT to apply pressure to bleeding wounds. The countless developed methods, processes, tools, and even tangential functions like billing would be impacted. The result would be chaos! Arguably security is experiencing a mild form of chaos now. Second, there are a lot of vendor-centric security professionals that know and understand security through the prism of a particular vendor. This is not meant to be derogatory since these professionals are the backbone of the security industry. However many are not security operators, they are security product managers. In most instances, along with functional and integration capabilities, security is but one of multiple features that security tools sport. Many security professionals are really, really good at keeping the lights on and packets flowing – and rely on the product do its security stuff. Some vendors are so big and influential that more security professionals than we like to admit are exclusively committed to their tools. These professionals have done the economic calculus and have built their careers around a single brand, strictly based on market opportunity. Many evolve when vendors say it's time to evolve for job prospect purposes. And the evolution of certain security professionals is curiously bound to the vendor's business strategy. An arrangement that benefits the vendor and the professional – just not security. This brings me to the third point: the business of security vs. security of business. It takes many years for new and emerging approaches or technologies to become mainstream. Large influential vendors are focused on squeezing every last bit of economic value from their existing technology investments, while small innovative companies just don’t have the market megaphone. And pay-to-play analyst firms confuse matters further by offering tilted and skewed recommendations. Now, let’s talk about the Cyber Hare vs. the Security Turtle. Hackers are cutting-edge. They are imaginative. They formulate crazy ideas meant to break the rules. The security industry counters with security professionals who are compelled to be conservative – to a fault. Hackers don’t care about function and performance, whereas organizations prioritize both over security. Hackers can experiment and fail countless times, forging their own path along the way, while organizations identify gaps by virtue of emerging product categories. Often it takes anywhere between three to five years, depending on the organization, to implement new product categories for an emerging threat type. At that point the threat is not so emerging anymore! Moreover, organizations befuddle themselves by implementing a process, a very organized one at that, developed to assure failure. This includes assessing requirements, assigning budget, talking to Gartner to see who paid them most, evaluating several brands, selecting a technology, negotiating legal, purchasing, implementation, integration, administration, management, monitoring and troubleshooting. Where is the agility?! Aside from the security functions the product offers, nothing in the process above even comes close to security operations. What does this mean? It means that hackers have a significant upper hand. This upper hand is so overwhelmingly one-sided that it has evolved from having the ability to impact business, to the ability to devastate economies and undermine democracies. Cyber - The Longest War. Today, everyone talks about the war in Afghanistan as our longest running conflict. In the near future this distinction will easily be awarded to the global cyber-war. Every day, much like other security professionals, I see this war from our operations center. I see Russia, China, North Korea, Iran and even some allies wage war against our infrastructure. If not by Name (IP Address), then by reputation (APT). If we have learned anything from the Afghani and Iraqi conflicts it's that success does not always require a standing army. Special Operations have radically shifted the methods of war. Not only is this cheaper and faster, but also more effective to achieve many missions around the world. Today the SpecOps model is being employed in the Syrian conflict. Maybe we should learn from the military and apply seismic shifts to our security approach. Here's how: First, let's eliminate products from the equation. Building one-off security using tools that are ill-fitted to address the emerging distributed and mobile compute model is security suicide. Products are always out-of-date and security teams burn valuable resources performing technology refreshes, managing and troubleshooting products rather than operating security. Security as a utility is a much more effective approach. It is simpler and much faster to sign up and turn on, than to buy and build out! Make implementation easy and let the development, upgrades, updates and keeping the lights on be someone else's problem. The time your team is not spending on babysitting products can be put to better use operating security. Second, fight hackers with (ethical) hackers. Build or train security teams of operators – not product administrators. Make your team critical thinkers who focus on “how to break things” rather than the mundane keeping the lights on tasks. Not all hackers are foul tempered, tattoo laced, twenty-something rock stars with an ego. There are many agreeable, thoughtful and reliable ethical hackers that can serve in foundational roles on your team. Most importantly, empower them and involve them from the beginning at the application design, development and roll out phases. The traditional medieval security model is not failing, it has already failed spectacularly. Arguably, it was never successful in achieving any of the objectives for which organizations have paid billions of dollars. The product management approach to security is like trying to change the wheels while the car is doing a 100 mph. You won't be able to do it and you WILL get hurt along the way. Learn more by visiting our web site: Acreto.io — On Twitter: @acretoio and if you haven’t done so, sign up for the Acreto Crypto-n-IoT podcast. You can get it from Apple – Google or your favorite podcast app. About Acreto IoT SecurityAcreto IoT Security delivers advanced security for IoT Ecosystems, from the cloud. IoTs are slated to grow to 50 Billion by 2021. Acreto’s Ecosystem security protects all Clouds, users, applications, and purpose-built IoTs that are unable to defend themselves in-the-wild. The Acreto platform offers simplicity and agility, and is guaranteed to protect IoTs for their entire 8-20 year lifespan. The company is founded and led by an experienced management team, with multiple successful cloud security innovations. Learn more by visiting Acreto IoT Security on the web at acreto.io or on Twitter @acretoio.

Security Shaming the Security Ostrich – Let's Make It A Thing By Bob Gourely, ex-Chief Technology Officer for the Defense Intelligence Agency, and Babak Pasdar, CEO and CTO for Acreto IoT Security We recently had a conversation with the CEO of an IoT manufacturing company to learn more about their strategy for IoT security. The conversation started with his immediate declaration, “Our IoTs are secure!” “You see” The CEO continued, “we use encrypted connections for all of our IoTs”. Given his bold tone, we waited to hear the rest - it never came. We then inquired how he controls access - validates the integrity of the communication - verifies the integrity of data - validates the exchange of functional commands - and handles privacy and identity of the devices. He responded, “You have to understand that our devices aren’t smart enough to be hacked.” It was a dumbfounding response! We asked if his IoT devices use IP. “Yes,” he replied. Are they on the Internet? Again, “Yes”. Respectfully, is it possible they are just not smart enough to know they’ve been hacked? We went on to explain that even “dumb” IoTs are susceptible to and have been involved in many recent high-profile attacks. We even offered two examples of vulnerabilities that impacted devices like his. However, he was dismissive and unconvinced. This technology CEO is a security ostrich choosing to bury his head in the sand rather than educate himself, hear different perspectives, and accept input from others. In another instance, at an event with Maciej Kranz, we met a CTO for a solution provider exclusively focused on building custom IoT-centric applications. We asked this CTO how the organization handled IoT security, the CTO’s answer was simple: “We use the certs from Amazon”. We dug further and asked how these certs secured his customer’s IoTs and applications. He said, and I quote: “Not sure. It’s what Amazon offers -- they wouldn’t sell something insecure”. Though the exact opposite of the CEO above, this CTO is also a security ostrich. He had no curiosity about what happened to the platforms they developed for their customers. We have seen many other examples where savvy security officers take what they believe to be prudent steps to help mitigate risk for their newly developed IoT infrastructure. This is a difficult problem, and we empathize with any technologist trying to optimize their IoT security. Their challenge -- utilize enterprise security tools and approaches for IoT Security. A case in point is an effort by a CISO of a Fortune 500 company who tried very hard to segment his industrial IoT devices into separate networks – a very prudent step. He then acquired a commercial software product that operates at the network level specifically to help improve security. It acted a bit like the old Kerberos solution in computer security, where a separate server gives permission for devices to join and communicate on the network. The problem with this approach is that we have not seen these enterprise security methodologies and technologies scale to the size IoT infrastructure requires. But a bigger problem is that even if it works, it does not prove that a device operates securely once it is allowed on the network. Until now, that kind of magic has not existed. This is a case where the CISO was trying to use yesterday’s security tools to solve a next generation problem, because that’s all that was available. When the only tool you have is a hammer, you have to treat everything like a nail. We exist in a time of unparalleled connectivity. With all the good that this connectivity serves, it also creates exposure. Exposure today is greater than ever and modern countries – especially the US – are the most exposed. Cyber attacks don’t just impact systems, data, publicity, and stock prices – attacks today impact economies and democracies. IoTs are driving a dependency compute model where each IoT, their dependent applications and associated management platform all exist on many different public and private networks. Customers no longer control the the entire infrastructure on which their IoTs and applications operate. This is why traditional enterprise security tools and approaches, designed to protect concentric networks, just don’t work for IoT security. Especially when multiple IoTs exist on a shared network – where each has a different function, for different use-cases and each using different remote applications, operated by different entities. When different applications that are owned by different organizations service IoTs sharing a common customer network, all the different networks, IoTs and applications become exposed and vulnerable. It’s not only that these devices are susceptible to compromise. Or that a compromised IoT impacts the integrity of the application and dataset it serves. It’s not even that the company’s customers and the customer’s customers are impacted. By putting these vulnerable devices on the Internet, IoTs become force multipliers to launch new and more menacing attacks on many other public networks, systems, applications, and datasets. And with the prevalence of Clouds, everything is public! IoT manufacturers and development shops should practice greater scrutiny regarding their IoT security. Despite an IoT’s small size, with IoTs, everything is bigger. If the overly confident CEO and disengaged CTO don’t respect IoT Security for their own product, company, and customers, then they should at least consider the impact their actions, or inaction, has on the rest of us. Isn’t it time we started treating security like littering? Maybe we should make security shaming a thing. Where the entire cyber community gets involved in security shaming those who are reckless, disassociated and especially the inappropriately bold. Essentially all cases where those in the industry who are in a position to enact impactful change, choose not to act. Could security shaming drive the change the IoT security industry needs? Perhaps! Better yet, we should treat security much like a public health crisis -- where even a single instance of an outbreak is treated with the greatest sense of urgency by the entire community. The behavior of the security ostrich is rather formulaic. Focus on functionality. When the system is reasonably functional, then focus on performance. And when it’s performing reasonably well, then and only then do some turn their attention to security. By this point, the only options are bolt-ons and band-aids. Moreover, some deploy self-centered risk–reward IoT security where they choose not to enact security at all. In other words, there are times when it costs more to secure some or all platform assets than their worth to the organization. Though this may look like a business decision, in actuality it is a myopic perspective that empowers hackers – against everyone! Regardless of the asset value, securing all assets with uniform and consistent security has a dramatic positive impact on the security big picture for everyone. What is suggested here is akin to the “broken windows” policing model where eliminating the small crimes dramatically reduces the big crimes. The IoT industry is still principally focused on function. Everyone is trying to get their heads around how to make everything actually work. However, it is precisely at this stage when there should be a focus on security – during the architecture and design phases. We can no longer sit back, look from the outside in, shrug and say it’s their problem -- not mine. If there is one thing that the massive denial of services, botnets, ransomeware, and data thefts have taught us is that the security weak links on the Internet are weaponized against everyone. In one case the CEO was inappropriately confident, in another the CTO was disengaged and trusting to a fault. These security ostrich executives hurt all of us – perhaps their actions are not malicious, but definitely negligent. And their actions impact business and consumer, global enterprises and family operations, Americans and Allies, us – you – everyone. Most importantly, business leaders, tech executives or the tuned-in slash concerned participants of the tech industry should learn a lesson from their errors. However, the CISO truly cared about doing the right thing and was failed by the industry’s lack of viable options to the IoT Security challenge. This is especially true when cloud, IoT, and dependency compute is involved. In this case the security industry is too conservative and looks down on progressive approaches. And progressive approaches is precisely what this CISO needed. Let’s invoke an old Internet term that needs to be resurrected. Be a good Netizen. Some, if not the majority of the effort for IoT security falls on the manufacturers and developers. They have to provide viable options for the industry. But at the same time customers and solution providers should be thoughtful and mandate security that drives the manufacturers and developers. Think of it this way: Anyone who ignores IoT security, recklessly and negligently drags their muddy shoes across everybody else's clean white carpet – when they should know better! Read the original 'Security Shaming' article here. Listen to the next podcast, Putin’s Eleven – Inside Nation State Hacker Teams, here. About Acreto IoT SecurityAcreto IoT Security delivers advanced security for IoT Ecosystems, from the cloud. IoTs are slated to grow to 50 Billion by 2021. Acreto’s Ecosystem security protects all Clouds, users, applications, and purpose-built IoTs that are unable to defend themselves in-the-wild. The Acreto platform offers simplicity and agility, and is guaranteed to protect IoTs for their entire 8-20 year lifespan. The company is founded and led by an experienced management team, with multiple successful cloud security innovations. Learn more by visiting Acreto IoT Security on the web at acreto.io or on Twitter @acretoio.

Russian Nation State Hackers & What We're Not Doing About It.  - By Bob Flores – former Chief Technology Officer of the CIA & Babak Pasdar CEO and CTO of Acreto IoT Security The effective use of Russian nation state hackers led to a hacked election that has resulted in a hacked America. We're still licking our wounds and not doing anything about it. In fact we are arguing if it happened at all! Cybersecurity strategy incorporates the confluence of technology, business and geopolitics with so many moving parts that to call them complex is an understatement. Strategies must span multiple geographies across a plurality of nations and continents. That is why no one can “go it alone”.  Today we need our friends more than ever – not just for geopolitics, but also for cyber defense. Collaboration is the underpinning of cybersecurity. As the largest global economy that comprises infrastructure, industry, enterprise and institutions, the US is the most technologically advanced. Many American companies span the globe making them one big glass house while the rest of the cyber world are kids with rocks on a dare. These "kids with rocks" fall into four major categories. First, there are hacktivists, who hack for their cause. The most well known of these being the loosely bound group called Anonymous. The second category is terrorist organizations such as ISIS and Al Qaeda. These organizations recognize cyber warfare as a cornerstone to their mid to long-term strategy and are working feverishly and investing heavily to get them to maturity. The third group is financial hackers. The best way to describe financial hackers is the Mob and Cartels' online arm. And finally, the most dangerous are state-sponsored hackers. Even though they operate behind triple or quadruple blind systems, which makes tracking them extremely difficult, they can be identified by their unique hacking techniques or fingerprints. Nation state hackers are not the moody lone-wolf nocturnal teenagers cranking death metal and surviving on Amp energy drinks. That's a TV cliche. And hacking is not an organic game of pickup, where individual hackers are swapped indiscriminately. Nation state hackers are carefully curated teams that train, collaborate and solve problems together. Not only do they have to get along and gel over time, but they have to build and test many foundational tools they need to perform the advanced objectives they are charged with. Sometimes this can take years! Lets Talk Hacking Fingerprints: Cyber-threat intelligence organizations that monitor and track Advanced Persistent Threats – APT.s - use their threat fingerprints to build a profile on each team over time. The collection of fingerprints defines each team, otherwise called an APT. The profile fingerprints for the Russians, Chinese, North Koreans and Iranians all vary. Each APT, or different hacking group, is assigned a unique number for identification. For example, APT37 is North Korea, APT34 is Iran, and the American election hacks are associated with APT.28 and AP.29 - which are obviously Russian nation state hackers. In fact, APT.28, otherwise known as "Fancy Bear", is a completely different team than APT29, "Cozy Bear", both of which work for the Russian Government.  As an example, here is a sample of the fingerprint for Fancy Bear – APT28- that has been tracked since 2007, and the reasons for American intelligence agencies' confidence in Russia as source for the election hacks: Here are some quick hit details for APT28: Its Target Sectors includes: The Caucasus, particularly Georgia, eastern European countries and militaries, North Atlantic Treaty Organization (NATO) and other European security organizations and defense firms. APT. 28 is focused on Cyber-Espionage As a summary overview: APT28 is a skilled team of developers and operators collecting intelligence on defense and geopolitical issues—intelligence that would be useful only to a government. This APT group compiles malware samples with Russian language settings during working hours (8 a.m. to 6 p.m.), consistent with the time zone of Russia’s major cities, including Moscow and St. Petersburg. This suggests that APT28 receives direct ongoing financial and other resources from a well-established organization, most likely the Russian government. Tools commonly used by APT28 include the SOURFACE downloader, its second-stage backdoor EVILTOSS and a modular family of implants dubbed CHOPSTICK. APT28 has employed RSA encryption to protect files and stolen information moved from the victim’s network to the controller. It has also made incremental and systematic changes to the SOURFACE downloader and its surrounding ecosystem since 2007, indicating a long-standing and dedicated development effort. Known operations include Operation RussianDoll where Adobe & Windows Zero-Day Exploits were Leveraged in highly-targeted attacks. There are other means for determining the source of attacks.  Aside from fingerprinting, intelligence agencies do track the sale of zero-day exploits purchased on the markets. Zero-days are exploits for previously unknown vulnerabilities. There are numerous commercial and underground organizations whose business is finding, exploiting and weaponizing vulnerabilities.  Once the exploit is developed, it's put up for bid - and governments are the most affluent bidders. Commercial organizations offer them for sale on the public market to sanctioned agencies, while underground groups sell their exploits on the black market – Dark Net - to the highest bidder indiscriminately. In the case of juicy exploits, the buyer may pay significant sums for the privilege of exclusivity. The buyer wants the advantage of a weapon that nobody else has. All governments use a variety of proprietary techniques, technologies and informants to track the exploit inventory of both rival and ally countries. Ultimately the recourse to cyber attacks is a blunt instrument in the form of counter-attack. Counter attacks may include counter hacks, economic sanctions, embargoes, or a combination.  However, for a government to get involved in countering attacks large organizations or critical infrastructure are usually involved and even then it is reserved for the largest and most egregious attacks. American election compromise is such an example. At this particular point in time, America has opted for a "go it alone" approach to global relationships. Collaboration on cyber issues is not exempt from this. As the occupant of "The Big Glass House" in a world of rock-throwing kids, especially Russian nation state hackers, America needs its friends more than ever. Even though we have been hacked, America is still Not Minding The Store. Collaboration between government and commercial threat intelligence is key to a successful cyber strategy. The nation’s top intelligence officer, Director of National Intelligence Dan Coats, indicated on Friday, July 13 and I quote: "persistent danger of Russian cyberattacks today was akin to the warnings the United States had of stepped-up terror threats ahead of the Sept. 11, 2001, attacks. The system was blinking red," Coats said. (nytimes.com) "Here we are nearly two decades later and I’m here to say the warning lights are blinking red again. Today, the digital infrastructure that serves this country is literally under attack. Every day, foreign actors - the worst offenders being Russia, China, Iran, and North Korea - are penetrating our digital infrastructure and conducting a range of cyber-intrusions and attacks against targets in the United States". Recently, Congress has zeroed out nearly $400 million from the fund used to protect the integrity of our election and has blocked subsequent efforts to fund it across partisan lines. In April 2018, the White House Cybersecurity coordinator was relieved from his role less than six months from the November elections. As of the end of July no replacement has been named. Moreover, tough sanctions passed by congress in July 2017 are yet to be implemented as of July 2018. It may be too late for anyone to take the helm and implement meaningful protections at such a late stage. Collaborating to stop these attacks requires leadership, funding, a competent team, communications and sharing. At this point in time we have the competent team members in the form of our intelligence agencies that are raring to be let loose. However there is no leadership, no mandate and no funding. We also find ourselves in a strange situation with sparse dialog with our allies due to newly formed political trust issues. The patient is not in trouble because a first- year med student is the surgeon. Rather, the patient has been abandoned by the surgeon with little time to live while the operating room is dark because nobody paid the utility bill. Next in this series we will look at an example of Russia's nation-state hacking teams and their construct in our blog: Putin's Eleven – Nation State hacker teams uncovered. Learn more by visiting our web site: Acreto.io -- On Twitter: @acretoio and if you haven’t done so, sign up for the Acreto Crypto-n-IoT podcast. You can get it from Apple – Google or your favorite podcast app. About Acreto IoT Security Acreto IoT Security delivers advanced security for IoT Ecosystems, from the cloud. IoTs are slated to grow to 50 Billion by 2021. Acreto’s Ecosystem security protects all Clouds, users, applications, and purpose-built IoTs that are unable to defend themselves in-the-wild. The Acreto platform offers simplicity and agility, and is guaranteed to protect IoTs for their entire 8-20 year lifespan. The company is founded and led by an experienced management team, with multiple successful cloud security innovations. Learn more by visiting Acreto IoT Security on the web at acreto.io or on Twitter @acretoio.

Blockchain, it slices, dices and juliennes, but is there a Blockchain security Function? The industry portrays that Blockchain will solve the world’s woes. Legacy companies like IBM, HP and Dell are touting Blockchain as the cure-all for anything and everything. Blockchain security seems to be the latest craze. In fact, the ‘Blockchain as a security savior’ message is so ubiquitously promoted and repeated, it has become an accepted fact. For many, Blockchain is not just secure – Blockchain IS security. We’re here to tell you its not. Here’s why: Crypto technologies and its variances such as Blockchain were designed to fulfill the following capacity as… Denomination - Blockchain functions as crypto-currency, with a specific market value. Transaction Processing - Blockchain exists as a denomination-independent way to process financial transactions, similar to a credit card. Data Validation - Blockchain validates and verifies non-financial transactions and content. Blockchain provides a decentralized way to process and validate transactions. This is done over public networks while the transacting parties and the processing parties maintain their anonymity. Once the transaction is validated, it is documented in a public ledger shared across many systems. These make up the Blockchain network. Business applications are built on multiple components. These include endpoints, systems, hardware, programs and data-sets, all of which have exposure points, referred to as an attack surface. Application platforms that use Blockchain are no exception. Though Blockchain is not susceptible to manipulation or fraud while in transit, it does nothing to secure the multiple attack surfaces and associated vulnerabilities of the platform components. This means the endpoints, servers, applications and clouds that make up the platform remain vulnerable. A compromise of any of these systems could allow the attacker to forge seemingly legitimate Blockchain transactions. The end result? A transaction that appears to be made by an authorized user and endpoint which is processed by an authorized application. Blockchain is incapable of offering any protection in this scenario. So what drives the industry to tout Blockchain is security? Even though proper cyber-security requires multiple functions (ie: identity, controls, privacy and threat management among others) to protect the entire application platform, Blockchain is limited to ensuring the integrity of the transactions. Without the implementation of other security functions, the entire platform remains exposed and vulnerable. Blockchain protects the transaction in a very limited and granular way. Yet large swaths of the industry believe it is a new way to secure entire technology platforms! No doubt, this is an undesirable byproduct of marketing departments gone wild. In their clamor to “simplify” the complex nature of Blockchain, they have managed to confuse, convolute and even misdirect. It’s like paypal claiming that they protect your bank account. There are many benefits to using Blockchain as a denomination, for financial transaction processing or non-financial data validation, but not Blockchain security. the sooner the industry is clear about the practical application of Blockchain, the more confidently it can be used in business applications. With that, Blockchain’s growing use in real business applications can even stabilize the turbulent and unpredictable coin markets. Here is one of the articles that mislabels Blockchain's function - Blockchain Security: What keeps your transaction data safe. No company is more guilty than IBM BONUS: The blockchain craze has taken such a life of its own that we created this spoof based on old infomercials called Bloxychain! About Acreto IoT Security Acreto IoT Security delivers advanced security for IoT Ecosystems, from the cloud. IoTs are slated to grow to 50 Billion by 2021. Acreto’s Ecosystem security protects all Clouds, users, applications, and purpose-built IoTs that are unable to defend themselves in-the-wild. The Acreto platform offers simplicity and agility, and is guaranteed to protect IoTs for their entire 8-20 year lifespan. The company is founded and led by an experienced management team, with multiple successful cloud security innovations. Learn more by visiting Acreto IoT Security on the web at acreto.io or on Twitter @acretoio.