We’ve all heard the saying “there is no delete button on the Internet,” but we secretly hope that when we take that unflattering photo off Facebook it’s gone for good. Well, attendees at the Automation Conference & Expo last week saw for themselves that that’s not the case. A presentation by a Certified Ethical Hacker (CEH), showed the audience how easy it is to resuscitate an old “deleted” MySpace account—pictures and all.
While that may seem trivial in today’s world of cyber threats, it was just one example by the presenter—who must remain anonymous as he is part of InfraGard, a collaboration between the FBI and the private sector to protect critical infrastructure. To make the information relevant to the audience, the CEH, using a hacker search engine called Shodan, was able to show a communications layer exploit that captured MQTT discussions between devices running on the Internet, ranging from soda machines to industrial valves.
Thouugh he did uncover thousands of devices exposed on the Internet, MQTT devices can be protected through a software defined perimeter (SDP) otherwise known as the Black Cloud. The SDP uses single packet authorization so that the receiving devices are “blackened” and therefore hackers can’t see it. The audience was also informed that the popular development tool, Raspberry Pi is not secure, and would be the first thing a malware program would scan for in the enterprise.
And, as if that’s not enough, there are multiple layers of exposure, including the invisible threats to the privacy of the people tapping their keyboards. Marketers use human behavior analytics to track what you click on and serve up advertisements that support your interests. Hackers, however, use digital profiling for pattern matching to identify the ways you connect to the Internet, watch your behavior and get your log-in and password information. At the end of the day it is not you they want, but to use you as a way into your company.
“Hackers are in your life for two years before they hit your company,” the CEH said.
And, because we live in the land of the Internet of Everything, everything from a refrigerator to your cellphone is an opening into the enterprise. So how do we protect ourselves and our companies? First and foremost, be aware of what you are posting on social media—even a simple picture can provide clues to the cyber criminals. Install browser add-ons like Ghostery that can block tracking technologies, turn of location services on your phone, and, of course, encrypt data moving between smart devices.
Practice cyber situational awareness the CEH said: “When you talk to someone, you think about where you are, how loud you are being, what the subject is. Take that same mindset and apply it to cyber. Think before you connect.”