The Internet Is at a Crossroads: We Have a Choice to Make

As we look around at a rapidly changing world that is shaped more and more by the digital domain, we see an Internet that faces many challenges. We see an Internet at a crossroads, where we have critical choices to make about its evolution in the years to come.

Those choices will determine whether we continue to benefit from an Internet that opens up a world of opportunity for everyone online, or whether we grow more fearful of it as a negative influence on our lives.  People’s hopes and fears about the Internet today are dividing us and its future.

The notion of hope and progress has defined our view of the Internet since its inception. Its own growth has taken it from obscure computer-to-computer connections to a social and economic powerhouse. It is the platform on which young people and an ever-growing number of women can invent their own futures. Small enterprises and communities all over the world are using digital tools to mobilize and empower themselves to access new markets, grow their economies and provide vital services to their citizens.

Of course, we must see the adoption of the Internet for what it is: a reflection of everything in society itself.

In light of growing sentiment that the Internet is fueling social and cultural divisions, there are legitimate concerns around the safety and security of life on the Internet. I discuss these themes in an article published this week as part of the launch of an edition of the Journal of Cyber Policy produced in a partnership between Chatham House and the Internet Society. To mark the occasion, we are also hosting a livestreamed panel discussion in partnership with Chatham House entitled “Do we still trust the Internet?” Here, we will explore concerns around the ‘securitization’ of the Internet, where a focus on national security and political control is usurping the notion of a “people-centric” Internet for everyone.

To solve these fundamental issues we need new models to address the challenges. My view is that the answers lie in the principles that have defined the Internet to date. These include: openness, global connectedness, trustworthiness, transparency, collaboration and inclusion. These values should remain at the forefront of the Internet and the policies that shape it.

We have already done much of the work and the thinking that puts these values at the heart of the Internet’s future. The global Internet community has called for collaborative decision-making: the multistakeholder model that has been used in the organizations and policies that built the Internet. And this is exactly the context in which much of the global Internet community will come together next week at the Internet Governance Forum in Geneva. I look forward to the gathering of this engaged and energized global community.

It is an important time to talk about how we can turn thinking into reality. We have an opportunity to explore how we can expand the collaborative decision-making model, how we can do more, say more and move beyond the confines of discussion to put the mechanisms, policies and practices in place that will shape the future of the Internet.

Above all, we can reaffirm our commitment to an Internet that is truly for everyone by making choices that take us toward opportunity, not toward fear.


Image credit: Veni Markovski on Flickr CC BY NC

The post The Internet Is at a Crossroads: We Have a Choice to Make appeared first on Internet Society.

Internet Society

Another BGP Routing Incident Highlights an Internet Without Checkpoints

Yesterday, there were two BGP routing incidents in which several high-profile sites (Google, Apple, Facebook, Microsoft, Twitch, NTT Communications and Riot Games) were rerouted to a previously unused Russian AS. The incidents only lasted about three minutes each, but demonstrated once again the lack of routing controls like those called for in MANRS that could have prevented this from happening.

As reported in BGPmon’s blog post on 12 December 12,

“…our systems detected a suspicious event where many prefixes for high profile destinations were being announced by an unused Russian Autonomous System.

Starting at 04:43 (UTC) 80 prefixes normally announced by organizations such Google, Apple, Facebook, Microsoft, Twitch, NTT Communications and Riot Games were now detected in the global BGP routing tables with an Origin AS of 39523 (DV-LINK-AS), out of Russia.”

Either a configuration mistake or a malicious attack, it propagated quickly through the Internet without visible obstacles. This was one of almost 5000 route leaks and hijacks in 11 months of 2017. For comparison, network outages during the same period caused almost 8000 incidents (source: https://bgpstream.com/):

In practice, the efficacy of corrective actions strongly depends on the reliability and completeness of information related to expected routing announcements. And these qualities quickly deteriorate with every routing hop on the path. Meaning that the easiest and most effective way to prevent such incidents from a customer is by its direct transit provider. In the case of AS39523 – that is AS31133 (Megafon).The Internet is an interconnected system and its security is only as strong as its weakest link – the least secure network operator. But the concept of “defense in depth” is more applicable here: If a network emits a false routing announcement, there should be many chances to correct it.

Deploying the simple, low-cost, low-risk measures promoted by MANRS is vitally important for all network operators. Had Megafon implemented Action 1 “Prevent propagation of incorrect routing information,” the false announcements yesterday would have been stopped at the first hop. Had reliable data been available about what prefixes DV-LINK-AS is authorised to advertise, others could have prevented that too.

Is your network doing all it can to prevent incidents like this? Read the MANRS document, follow the Implementation Guide, and Join MANRS!

The post Another BGP Routing Incident Highlights an Internet Without Checkpoints appeared first on Internet Society.

Internet Society

Align Technology And Talent To Leverage The Internet Of Things

Part 4 of the “Manufacturing Value from IoT” series

In my last blog, I talked about the necessary investments manufacturers must make to gain a full IoT transformation. Here, I will talk about the critical collaboration between IT and OT departments to further increase profits and productivity.

The Internet of Things (IoT) is delivering substantial returns for those applying intelligence into their plants and processes. Some 72% of manufacturers report that application of IoT technologies to operations increased productivity in the past year, and 69% report that use of the IoT increased profitability. Yet most companies could get more bang for their IoT bucks if their operations technology (OT) and information technology (IT) departments would collaborate.

Why? Because even in companies with capable IoT initiatives, problems among technology employees can cripple an organization’s ability to:

  • Establish plant-to-enterprise connections: Secure networks are required to move plant-floor data to executives who need it. OT and IT staff must coordinate efforts — and budgets — to build these data highways.
  • Link IoT plant data to enterprise systems: OT and IT staff must work together to transform real-time plant and machine data into actionable information for enterprise resource planning and manufacturing execution systems.
  • Channel enterprise information to business analytics applications: OT and IT staff need to facilitate the smooth transfer of information into big-data applications that provide the basis for informed decisions.

Unfortunately, many manufacturers’ OT and IT staffs rarely collaborate. For example, just 43% report that their OT and IT staffs work together in linking operations data with business analytics.

OT and IT do not often collaborateSource: “Leveraging the Internet of Things Takes Talent — and Collaboration,” SAP, 2017.

This lack of coordination means that employees who could use IoT information to improve performance — quality, equipment reliability, safety, timeliness, productivity, etc. —  can’t:

  • Only 34% of manufacturers say that all corporate executives who need IoT-enabled data can access it.
  • Only 13% of manufacturers say that all customers who need IoT-enabled data can access it.
  • Only 13% of manufacturers say that all suppliers who need IoT-enabled data can access it.

Manufacturers leveraging the IoT are understandably focused on the technologies to make this happen — smart devices, controls, sensors, networks, etc. But they must also:

  • Break down OT/IT siloes
  • Recruit collaborative IoT technology talent
  • Drive cultural change in technology departments, changing their roles from IT rule-makers/problem-fixers to providers of value-added services and support

How well do your OT and IT departments collaborate?

Stay tuned for more on how IoT can increase your profitability and productivity. In the meantime, download the report “Catch Up with IoT Leaders” to learn why it is challenging for many manufacturers to get the right data to the right executives in the right format.


Internet of Things – Digitalist Magazine

Continuing David Vyorst’s Legacy: Recognizing the Next Generation of Open Internet Advocates

Last week we shared the sad news that David Vyorst, the Executive Director of the ISOC-DC chapter and an instrumental part of the North American Internet community, passed away.

The DC Chapter and the Internet Society are jointly establishing a fellowship award in David’s name. The fellowship will be awarded to a young person in a US-based chapter who has an innovative project or initiative for making a chapter more effective in advancing the values of a free and open Internet accessible by everyone.

You can visit the DC Chapter’s website to make a donation in David’s memory.

Photo credit: Glenn McKnight

The post Continuing David Vyorst’s Legacy: Recognizing the Next Generation of Open Internet Advocates appeared first on Internet Society.

Internet Society

The Internet of Insecure Things

The Internet of Insecure Things

The Internet of Insecure Things

An article by León Markovitz, Marketing Manager at Netonomy (Twitter @getnetonomy).

From home appliances to health applications and security solutions, everything we use at home – and outside of it, is getting connected to the Internet, becoming the Internet of Things (IoT). Think about how many connected devices you have at home: tablets, laptops, e-readers, fitness devices, smart TVs – how about your thermostat, light bulbs, refrigerator and security system? Our home has effectively become a connected home, with an average of 12 things connecting to our home Wi-Fi network, transmitting data and delivering added value. But as connected home appliances continue to grow, so too will the cybersecurity risks.

Consumers have been fast to adopt IoT devices on the promise that they can improve our lifestyles. These things track and optimize our energy consumption, facilitate our daily tasks, improve our health and wellness, keep us secure and empower us with the freedom and data to do other things better. But from a security point of view, this unregulated, insecure and fragmented market represents a clear and present danger to individuals and society as a whole, from the cyber to the physical realm.

Chart: IoT units by category 2016-2020To protect connected homes, a multi-faceted approach is recommended, combining a firewall blocking mechanism with machine learning and artificial intelligence to detect network anomalies. Millions of IoT devices are already compromised and we recommend communication service providers (CSPs) to initiate deployment of cybersecurity solutions today in parallel to their own R&D plans. By providing cybersecurity solutions through partnerships, they can begin to protect their vulnerable clients today and establish a market leadership position.

Cyber-threats

The declining costs to manufacture chips that can store and transmit data through a network connection have enabled thousands of organizations and startups to bring IoT products to market. But the current lack of standards and security certifications, coupled with fierce market competition to deliver affordable IoT products, have made cybersecurity an expense that manufacturers prefer others to deal with.

The lack of experience and incentives in the IoT supply chain to provide secure devices has created a tremendously vulnerable IoT landscape. In fact, according to recent findings by Symantec, IoT devices can become compromised within two minutes of connecting to the Internet1. Legislation has been too slow to deal with the current threat, and although there are public initiatives to drive cyber awareness among consumers, we do not expect any tangible changes soon.

examples of hacked IoT devices

There are many attack vectors and vulnerabilities to worry about in the Connected Home. From poor design decisions and hard-coded passwords to coding flaws, everything with an IP address is a potential backdoor to cyber crimes. Traditional cybersecurity companies reacted slowly and failed to provide defense solutions to the expanding universe of IoT devices. However, novel approaches with Artificial Intelligence and Machine Learning – such as analyzing and understanding network behaviors to detect anomalies, are now available to defend against these new threats.

IoT vulnerabilities' attack surface

With all its challenges and opportunities, consumer IoT is destined to disrupt long-established industries, making it a space one cannot afford to ignore. One such long-established industry is precisely the one powering the revolution: the CSPs providing the broadband. By and large, telecommunication companies have failed to monetize the data running through their home gateways, missing out in big opportunities. We believe that the connected home, especially cybersecurity, is a low-hanging fruit that communication service providers can and should pick before it’s too late.

Home security and safety-related appliances are top revenue drivers in the connected home landscape, and telecom companies are well positioned to enter this market and rebrand themselves as innovative and secure companies interested in the well-being and privacy of their customers. By leveraging their existing assets, such as the home router, telecoms can provide holistic solutions that include cybersecurity, data management and customer support – giving them a unique advantage over their competitors. Consumers would much rather trust their CSPs to continue managing their data than giving it away to foreign or unknown companies. It is time for Internet Service Providers to reclaim their value as a Service Provider, else they risk missing out in this revolution as broadband continues to become commoditized.

Personal Risks

Hacking the connected homeStories of hacked IoT devices abound, a quick search online will lead you to scary stories, from spying Barbie dolls2, to TV sets monitoring you3 and creeps accessing baby cameras4. Most ironic and worrying of all are the security threats inherent in best-selling security systems, which can allow hackers to control the whole system, due to lack of encryption and sufficient cybersecurity standards5.

The cyber and physical risks intensify the more devices we connect: The volume of granular data that all these connected things generate when combined can provide a very detailed profile of the user, which can be used for identity theft and blackmail.

Once an unprotected IoT device gets hacked, a skilled hacker can proceed to infect other devices in the network via “lateral movement”. By jumping from one device to another, a hacker can gain complete control of a connected home. Because this threat comes from within the network, it is important to have a security solution that provides network visibility, creates device profiles and detects anomalies through machine learning and artificial intelligence.

There have been enough stories in the news for the average consumer to be aware of cyber threats, they know security is important and that they don’t have it, but they lack the resources to properly protect themselves. IoT manufacturers should be held accountable to prioritize security, but until that happens, the responsibility and opportunity falls on CSPs to protect the consumers.

Structural Risks

What makes the IoT ecosystem a potentially deadly cyber threat is the combined computing and networking power of thousands of devices which, when operated together as a botnet, can execute massive Distributed Denial of Service (DDoS) attacks and shut down large swaths of the Internet through a fire hose of junk traffic. The IoT ecosystem represents a totally different level of complexity and scale in terms of security and privacy.

type of infected devicesIn October 2016, we got a taste of this structural risk when the infamous Mirai botnet attacked the DNS company Dyn with the biggest DDoS attack ever reported: more than 1 terabit per second (Tbps) flooded the service, temporarily blocking access to Netflix, Twitter, Amazon, PayPal, SoundCloud, New York Times and others. The Mirai botnet used enslaved IoT devices -nearly 150,000 hacked cameras, routers and smart appliances, to inadvertently do its criminal bidding, and most of the infected devices remain out there, with their users oblivious to the fact.

The way Mirai malware spreads and attacks is well known: it scans the web for open Telnet and SSH ports, browsing for vulnerable devices using factory default or hard-coded usernames and passwords, then uses an encrypted tunnel to communicate between the devices and command and control (C&C) servers that send instructions to them. Since Mirai uses encrypted traffic, it prevents security researchers from monitoring the command and data traffic.

The source code for Mirai was posted soon after on the Hackforums site6, enabling other criminals to create their own strains of the malware. It is not necessary to have an “army” of thousands of infected devices to cause harm. Mini-DDoS botnets, with hundreds of compromised nodes, are sufficient to cause temporary structural damage and reduce the chances of getting caught -expect more of these attacks in the future.

geography of infected devices

Capturing vulnerable devices to turn them into botnets has become a cyber crime gold rush, with an estimated 4000 vulnerable IoT devices becoming active each day7, and criminals selling and renting botnets in the dark net at competitive prices to cause harm. Although simple to understand, this sort of malware is hard to detect because it does not generally affect device performance, so the average user cannot know if their device is part of a botnet – and even if they did, it’s often difficult to interact with IoT devices without a user interface.

Stakeholders should take proactive steps that can prevent future incidents by addressing the lack of security-by-design in the IoT landscape. The Mirai malware was a warning shot, and organizations must be prepared for larger and potentially more devastating attacks. Because of market failures at play, regulation seems like the only way forward to incentivize device manufacturers to implement security in their design, but doing so could stifle innovation and prove disastrous to the ecosystem. It is because of this delicate balance that we believe service providers are perfectly positioned to seize this problem as an opportunity to become market leaders in the emerging field of IoT cybersecurity.

Looking Forward

The frequency of cyber threats is increasing as the IoT landscape continues to expand. Gartner predicts that by 2020, addressing compromises in IoT security will have increased security costs to 20% of annual security budgets, from less than one percent in 20158. The threats to consumers and society are numerous, but joint cybersecurity and cyber-hygiene efforts by manufacturers, legislators, service providers and end users, will mitigate the inherent risks discussed in this paper.

Until that happens, service providers are uniquely positioned and encouraged to begin offering cybersecurity services to their consumers through their home gateways: the main door of the home network. Communication Service Providers that provide home network security and management solutions today can become the preferred brand for Smart Home solutions and appliances, leading IoT market adoption while preventing the cyber risks associated with it.

Netonomy has developed a solution that is available today for service providers interested in providing a layer of security to their consumers and become a trusted market leader in the emerging IoT landscape. Because it is cloud-based, this solution can be instantly deployed across thousands of routers at a low cost and bring immediate peace of mind to consumers.

Netonomy’s Solution:
Netonomy provides a simple, reliable and secure network for the connected home. Through a minimal-footprint agent installed on the home router, we provide a holistic solution to manage the connected home network and protect it from internal and external security threats. Our unique technology can be deployed on virtually all the existing home gateways quickly and at a minimal cost, providing ISPs and router manufacturers with better visibility into home networks and a premium service that can be sold to customers to make their connected future simple, reliable and secure.
1 “2017 Internet Security Threat Report.” Symantec, 2017, https://resource.elq.symantec.com/LP=3980?cid=70138000001BjppAAC&mc=202671&ot=wp&tt=sw&inid=symc_threat-report_regular_to_leadgen_form_LP-3980_ISTR22-report-main
2 Gibbs, Samuel. “Hackers can hijack Wi-Fi Hello Barbie to spy on your children.” The Guardian, Guardian News and Media, 26 Nov. 2015, www.theguardian.com/technology/2015/nov/26/hackers-can-hijack-wi-fi-hello-barbie-to-spy-on-your-children
3 Goldman, David. “Your Samsung TV is eavesdropping on your private conversations.” CNNMoney, Cable News Network, 10 Feb. 2015, money.cnn.com/2015/02/09/technology/security/samsung-smart-tv-privacy/
4 Flannigan on August 18, Jenna. “Parental Warning: Baby Monitors Can Be Hacked.” Healthline, Healthline Media, 18 Aug. 2016, www.healthline.com/health-news/baby-monitors-can-be-hacked
5 Storm, Darlene. “Of 10 IoT-Connected home security systems tested, 100% are full of security FAIL.” Computerworld, Computerworld, 11 Feb. 2015, www.computerworld.com/article/2881942/cybercrime-hacking/of-10-iot-connected-home-security-systems-tested-100-are-full-of-security-fail.html
6 Goodin – Oct 2, 2016 10:39 pm UTC, Dan. “Brace yourselves—source code powering potent IoT DDoSes just went public.” Ars Technica, 2 Oct. 2016, arstechnica.com/information-technology/2016/10/brace-yourselves-source-code-powering-potent-iot-ddoses-just-went-public/
7 Scott, James, and Drew Spaniel. “Rise of the Machines: The DYN Attack Was Just A Practice Run.” Institute for Critical Infrastructure Technology, Dec. 2016, icitech.org/wp-content/uploads/2016/12/ICIT-Brief-Rise-of-the-Machines.pdf
8 “Gartner Says Worldwide IoT Security Spending to Reach $ 348 Million in 2016.” Gartner, 25 Apr. 2016, www.gartner.com/newsroom/id/3291817

The post The Internet of Insecure Things appeared first on IoT Business News.

IoT Business News