We’ve all heard the saying “there is no delete button on the Internet,” but we secretly hope that when we take that unflattering photo off Facebook, it’s gone for good. Well, attendees at the Automation Conference & Expo last week saw for themselves that’s simply not the case. A presentation by a Certified Ethical Hacker (CEH) showed the audience how easy it is to resuscitate an old, seemingly deleted MySpace account—pictures and all.
Although that may seem trivial in today’s world of cyber threats, it was just one example shown by the presenter—who remained anonymous as he is part of InfraGard, a collaboration between the FBI and the private sector to protect critical infrastructure. To make the information relevant to the audience, the CEH—using a hacker search engine called Shodan—was able to show a communications layer exploit that captured MQTT discussions between devices running on the Internet, ranging from soda machines to industrial valves.
Though he did uncover thousands of devices exposed on the Internet, he explained how MQTT devices can be protected through a Software Defined Perimeter (SDP), otherwise known as the Black Cloud. The SDP uses single packet authorization so the receiving devices are “blackened” and therefore hackers can’t see it. The audience was also informed that the popular development tool, Raspberry Pi, is not secure and would be the first thing a malware program would scan for in the enterprise.
The CEH further explained there are multiple layers of exposure, including the invisible threats to the privacy of people tapping their keyboards. Marketers use human behavior analytics to track what you click on and serve up advertisements that support your interests. Hackers, however, use digital profiling for pattern matching to identify the ways you connect to the Internet, watch your behavior and obtain your log-in and password information. At the end of the day it is not you they want; they will use you as a way into your company.
“Hackers are in your life for two years before they hit your company,” the CEH said.
Because we live in the land of the Internet of Everything, everything from a refrigerator to your cellphone is an opening into the enterprise. So how do we protect ourselves and our companies? First and foremost, be aware of what you are posting on social media—even a simple picture can provide clues to the cyber criminals. Install browser add-ons like Ghostery that can block tracking technologies, turn off location services on your phone and, of course, encrypt data moving between smart devices.
Practice cyber situational awareness, the CEH said. “When you talk to someone, you think about where you are, how loud you are being, what the subject is. Take that same mindset and apply it to cyber. Think before you connect.”