11 Comments

Summary:

Most people grok that they need to update their software and watch what they browse. But very few suspect that their own printer could do them in.

There seems to be news of a new massive security breach every day — the latest being the eBay mess. The good news is that because of these snafus, people are starting to get that bad browsing behavior and non-updated software on their smartphones, tablets and PCs can lead to problems.

But, there’s a rash of shiny new devices connecting to the internet that are also vulnerable to a remote attack and that requires a new  way to think about security — and this will be a topic at the upcoming Structure show in San Francisco June 18-19.  And then there is an array of less glamorous connected things that predate the IoT hype cycle, and that most people don’t even think about as being vulnerable. Your printer, for example, could be a disaster waiting to happen, said Patrick Gilmore, CTO of Boston-based data center provider Markley Group (and former network architect at Akamai.)

At MIT’s CIO Symposium on Wednesday, Gilmore asked a roomful of IT professionals: “How many of you would be upset if every document you ever printed was read by someone you didn’t intend to see it?” It’s safe to say 100 percent of that room would be unhappy about that.

When people build printer cards, which have IP addresses, “they’re not thinking bout stack overflow or checking to make sure that the person sending the print command is the person that should be sending that command. These devices need to be secured but are not even considered in most CIOs’ security plans,” Gilmore said.

Broad connectivity, more data = higher stakes

So more data is getting generated and collected by more devices. And to complicate matters, the lines between hacktivists, state-sponsored hackers and industrial spies are disappearing. Consider a scenario where your top competitor could, with the right help, read every document your CEO or CFO or general counsel ever printed. Scary, no?

Joseph Hadzima, senior lecturer with the Martin Trust Center for MIT Entrepreneurship, who moderated a security and privacy panel, painted a scary world where baby monitors get hacked and cars are remotely commandeered. The stakes have certainly changed but the tools used till now to secure our stuff have been overmatched for some time. What does it say when Symantec, an anti-virus company, admits that anti-virus is dead?

Home appliances, connected home, internet of thingsMark Morrison, SVP and Chief Information Security Office for State Street agreed with Gilmore that two-factor authentication is table stakes now. But companies need to go further.

Morris wants to just nuke passwords altogether. “They’re a complete waste of time,” he said. For one thing, they need to be 14 to 16 characters long to be even marginally useful but at that point people end up writing them down on stickies which obviates the whole purpose.

Enterprises need to proactively monitor threats and make sure their infrastructure evolves accordingly. The message out of MIT was that no one can to stop every attack, but companies can make it less worthwhile, harder and more expensive for bad guys to attempt attacks in the first place. And they need to be acutely aware that a layered security solution has to cover non-traditional gizmos that are connected to the network.

Yes, the printer too.

 

  1. Scary stuff…great article. :-)

    Reply Share
  2. It is hard to keep up with all the new threats. Companies have to assume a lot of the responsibility for security if they want to do business this way. They have economies of size and economies of low staffing numbers.
    Leslie

    Reply Share
  3. Reblogged this on Doug Utberg's Blog and commented:
    We always need to consider that the more complexity we introduce into our lives, the more ways there are for things to go wrong, and go wrong in increasingly unexpected ways.

    Reply Share
  4. seems like a chance to invent a new secure infrastructure as it moves forward.

    Reply Share
  5. Thats great …worth reading it :)

    Reply Share
  6. Proofreading is fun!

    Reply Share
    1. uh oh. what’d i do now?

      Reply Share
  7. JenniferDawn Thursday, May 22, 2014

    Thank you so much for writing this article! I have been saying this for a while, but the IoT ‘vendors’ are suffering from the ‘Emperor has No Clothes’ syndrome, and have not thought out the necessary security implications.

    I think it will take a few dozen DEATHS for anyone to really this threat seriously, however.
    People just blindly trust these new devices, and won’t take it seriously, until people get physically injured.

    Quite honestly, I wish I had a law firm, so that I could start preparing the inevitable class action personal-injury lawsuits – it will be a veritable gold mine!

    Reply Share
  8. Ralph Haygood Thursday, May 22, 2014

    Most of what I hear about under the “Internet of things” rubric strikes me as solutions to imaginary problems. I’m far from a technophobe – I develop software for a living, and I gladly embrace new and better tools for doing so – but I really don’t feel the slightest need for, say, an Internet-connected light bulb. On top of that, considering the security problems we have with the Internet of conventional computing devices, an Internet of household appliances and the like is indeed a security nightmare. No thanks.

    Reply Share
    1. Well said, Ralph. I think IOT is still firmly in the Jurassic Park category (the gadget makers are so preoccupied with whether or not they could that they didn’t stop to think if they should). Where is the killer app, here?

      Reply Share
  9. sitch? really????

    Reply Share