Tech Friday with Dave Hatter - October 2nd 2020 - SPONSORED BY INTRUST IT


  • "Smart" devices: No coffee for you until you pay the ransom:
    • As many traditional devices become "smart" and can connect to the Internet, you should ask yourself if you really need your refrigerator online
    • Many of these Internet of Things (IoT) devices are rushed to market with little to no security
    • Hackers love these "smart" devices because they are easy to hack, always on, and often have high band-width connections making them perfect for botnet attacks
    • They are often hard to update and users are unaware that they need to be patched and secured
    • Before you start adding "smart" devices to your network, you should think about the implications
    • IoT devices are being attacked in many ways:
      • Hackers may compromise IoT devices to use them to attack other devices and networks (botnets)
      • Hackers attempt to compromise IoT devices to get into your network and attack other devices
      • Hackers may try to steal data from a device
      • Hackers may use an IoT device to spy if it has a microphone or camera
    • These attacks have caused new concerns about the vulnerability of millions of “smart” devices that are increasingly appearing in homes and businesses
    • Casey Ellis, CEO of Bugcrowd said "IoT security has been horribly flawed ever since it first became a thing, largely because of the pace that new products have to go to market, and the fact that designing security is seen by vendors as ‘slowing things down"
    • In one attack, as many as 1,000,000 Chinese-made security cameras, digital video recorders and other devices were enlisted in DDoS attacks
    • A similar attack was launched againstRio Olympics related websites by cable set-top boxes and home routers
    • Experts estimate there will be 75 billion IoT devices by 2025
    • Many toys (dolls, cars, drones, robotics, games, etc.) are increasingly connected to the Internet and bringing the same type of capability into home
    • Many "smart" toys include microphones, cameras and/or video cameras
    • The Shodan search engine makes it easy to find and target insecure devices
    • Many IoT devices are notoriously insecure and are infrequently, if ever updated once deployed
    • The onus for security updates is on the owner and can be difficult
    • Martin Hron, an Avast researcher, recently reverse engineered a $250 Smarter coffee maker
    • Hron wrote "I was asked to prove a myth, call it a suspicion, that the threat to IoT devices is not just to access them via a weak router or exposure to the internet, but that an IoT device itself is vulnerable and can be easily owned without owning the network or the router"
    • Hron was successful. When the machine is connected to the network, the burner turns on, it spouts hot water, the bean grinder starts grinding, and it displays a ransom message while crazily beeping.
    • Unplugging it is required to stop the madness
    • Hron said "With the pace of IoT explosion and bad attitude to support, we are creating an army of abandoned vulnerable devices that can be misused for nefarious purposes such as network breaches, data leaks, ransomware attack and DDoS."
    • Like any Internet connected device, you must ensure that you install patches and updates on the device
    • "It’s going to be very difficult to convince consumers to patch their refrigerator" - Matthew Prince, CEO of security provider CloudFlare Inc.
    • Watch the hacked coffee maker here:https://www.youtube.com/watch?v=bJrIh94RSiI&feature=emb_logo
  • Deepfakes could be used to disrupt the election:
    • Advances in computer power and machine learning have lead to technology known asDeepfakeswhich is making it hard to believe your own eyes and ears
    • New algorithms can take a single photo of someone and create a video that is completely fabricated but very, very realistic and that shows them saying and doing things that they did not actually do 
    • MIT recently released adeepfakevideo as part of a project known as "In Event of Moon Disaster" to demonstrate the disturbing power of these videos
    • The video mixes actual NASA footage with President Nixon delivering the news that NASA failed and astronauts died on the moon
    • It took MIT AI experts 6 months to create the very convincing 7-minute video, watch it here:https://www.youtube.com/watch?v=LWLadJFI8Pk&feature=youtu.be
    • Pinscreen is a Los Angeles start-up that has created the technology, they believe these renderings will become so realistic that it will be virtually impossible to determine what is real
    • FakeApp is one of several new AI-powered synthesizing tools that doesn't require specialized hardware or skilled experts to create convincingfakevideos
    • Software such as FakeApp can be used for fraud, forgery, and propaganda. FakeApp has been downloaded more than 100,000 times and has been used to create manyfakepornographic videos featuring celebrities and politicians
    • FakeApp is relatively easy to use, a user "trains" it with hundreds of photos of source and target faces. It relies ondeep-learning algorithms to find patterns and similarities between the two faces
    • "Ten years ago, if you wanted tofakesomething, you could, but you had to go to a VFX studio or people who could do computer graphics and possibly spend millions of dollars," says Dr. Tom Haines, lecturer in machine learning at University of Bath. "However, you couldn't keep it a secret, because you'd have to involve many people in the process
    • There are many possible applications for this technology and many of them are malicious. Imagine the capability to usefakevideos for blackmail, revenge or propaganda
    • There are also concerns about the possible impact ofdeepfakeson the upcoming electionbecause the videos are fake, easy to make, can can be shared easily and quickly on social media
    • "Deepfakescan be made by anyone with a computer, internet access, and interest in influencing an election" - John Villasenor, a professor at UCLA focusing on artificial intelligence and cybersecurity
    • Paul Barrett, adjunct professor of law at New York University, said, "a skillfully madedeepfakevideo could persuade voters that a particular candidate said or did something she didn’t say or do."
    • It currently is not a crime in the US to create fake videos. But "using a fake video to commit another crime — such as extortion or fraud or harassment — would be illegal under the laws covering the other crimes"- Barrett.
    • The legality ofdeepfakescould change in the future, there are bills in Congress to limit their use, and some states have taken action
    •  California and Texas enacted laws that makedeepfakesillegal when they’re used to interfere with elections
    • The MaliciousDeepFake Prohibition Act, was introduced in Congress in December 2018
    • TheDEEPFAKESAccountability Act, short for “Defending Each and Every Person from False Appearances by Keeping Exploitation Subject to Accountability Act,” was introduced in 2020. It would require creators to label false videos of face up to five years in prison
    • There is work being done on technology to identifydeepfakes
    • Hany Farid, a digital forensics expert at Dartmouth College, said watching for blood flow in the face can sometimes determine whether footage is real. He also said slight imperfections at the pixel level may reveal fake video
    • TheFakening is a YouTube channel dedicated todeepfakeshttps://www.youtube.com/channel/UC5D-8hVVwLB0DNrcSBqoVxgver
  • October is National Cybersecurity Awareness Month (NCSAM):
    • Motto: “Do Your Part. #BeCyberSmart.”
    • Held every October, now in it's 17th year
    • Effort between government and industry to raise awareness about the importance of cybersecurity 
    • Objective is to provide Americans with the resources they need to be safer and more secure online
    • Key areas include citizen privacy, consumer devices, and e-commerce security
    • A recent study reported that only 31% of Americans are concerned with data security despite a 400% increase in cyberattacks this year
    • Phishing attacks are up 5 times over last year
    • CNBC reported that cyberattacks now cost $200,000 on average and put some out of business
    • Ransomware costs have risen 184% from $12,762 to $36,295 in Q2 2019 according to a Coveware study
    • The FBI said Business Email Compromise (BEC) is a $26 Billion enterprise
    • SCORE reported that 43% of attacks are on SMBs
    • An Accenture / Ponemon study found an 11% increase in security breaches in 2019
    • 89% of breaches had a financial or espionage motive 64% of confirmed data breaches involved weak, default or stolen passwords - Verizon 2016 Data Breach Investigations Report
    • A Clark School study at the University of Maryland is one of the first to quantify the near-constant rate of hacker attacks of computers with Internet access— every 39 seconds on average, affecting one in three Americans every year 
    • By 2025 there will be roughly 75 billion connected devices. According to figures compiled within a recent Symantec Internet Security Threat Report, there are 25 connected devices per 100 inhabitants in the US. Each is a risk
    • 95% of cybersecurity breaches are due to human error
    • 92% of malware is delivered by email
    • https://www.cisa.gov/national-cyber-security-awareness-month
    • What you can do:
      • Data breach costs are expected to reach $5 trillion by 2024
      • Use Anti-Malware / Endpoint protection
      • Install Software patches & firmware updates regularly
      • Use a Password Manager
      • Enable Multi-Factor Authentication (MFA) everywhere
      • Use a firewall
      • Avoid Public Wi-Fi
      • Use a Virtual Private Network (VPN)
      • Don't download "free" software you have not vetted
      • Use Encryption (at rest and in motion)
      • Backup data and verify the backup integrity
      • Take a Zero Trust stance
      • SETA (Security, Education, Training and Awareness)
      • Be skeptical
      • Remember, just because you're paranoid doesn't mean they're not out to get you