Featured

My First Blog Post

Be yourself; Everyone else is already taken.
— Oscar Wilde.

This is the first post on my new blog. I’m just getting this new blog going, so stay tuned for more. Subscribe below to get notified when I post new updates.

Security Concepts

At its core, facial recognition is about security. Secure authorization, secure matching, and secure cities. We have to remember that our need for security is in a constant balance with our need for convenience. The more secure something is – say, a complex password – the less convenient is. Likewise, the more convenient something is – say, using your birthday or pet’s name as a password for every account – the less secure it is. While civil liberties come into balance, that’s a different set of questions and solutions we must address, and will further on in this paper.

Beyond that, there are the three types of security authorization. There’s “What you know”, such as your password or a security question (Schneider 2005). There’s “What you have”, such as a key or ID card. And then, there’s “What you are”, such as your fingerprint, voice, or face. While the latter is becoming increasingly popular, we don’t have a reason to yet believe it’s more secure in terms of authorization applications. It’s certainly more convenient, but less secure for reasons we will delve into later. Conversely, in one-to-many matching (say, picking a face out of a crowd or correctly identifying a patient before administering drugs in a rapid triage incident it is far more secure (Mann 2017).

The last general concept we need to cover is hashing. Hashing is a method by which a password or other piece of data is encrypted into a long alphanumeric string (Schneider 2005). On its own, the hash is useless, and this has become the standard method for storing passwords. It is very rare nowadays to find passwords stored in “plaintext”, or their original format as literal strings which the user can input for authorization.

How it works

Facial recognition has been accomplished in a variety of ways over the years, but the basic concept is to capture an and use a program which can find any faces in said image (Wasserman 2019). The faces are then mapped with techniques ranging from facial structure to porosity and texture analysis. Then, the face is placed in a database, or checked against the faces in a database for matching.

One of the earliest techniques, known as Viola-Jones extraction, emerged from Facebook several years ago when they began identifying faces and suggesting “tags”. They taught their systems to identify faces by looking for patterns of light and dark which represent “Haar-like” features. It then uses layering and extrapolation to determine what is and isn’t a face, as sometimes other objects can give false positives. Usually, matching techniques like this, and many others, don’t look for a 100% positive result, but rather a result in excess of a 93% match, varying from system to system and between implementations.

While most of the literature concerning the other algorithm we researched is pertaining to fingerprints, we thought the concept – or rather, their solution to a problem which we asked ourselves – was too fascinating not to include. Fuzzy hashing.
Much like the Viola-Jones method, fuzzy hashing doesn’t seek a 100% match (Garg 2015). By mapping regions of the fingerprint and looking for a high enough coincidence of matching layers, it can tell a positive match with only 96% accuracy. This is useful not only because end users aren’t likely to place a thumb or finger on the input device exactly the same way each time, but because of variability in the surface due to nicks, cuts, etc. Such creative workarounds have become core to the proper functioning of facial recognition systems.

A problem arises, however, in how biometric data is currently being stored by most companies. The data is often stored conventionally, alongside other information, but the worst part is that companies often don’t hash the biometrics (Mendelson 2018). International firm Suprema was just recently the target of a massive data breach wherein two million instances of fingerprint and facial data from 83 countries were stolen. We have yet to see the actual ramifications of this.

Current applications

Facial recognition is used in fields ranging from commerce and personal security to medicine and law enforcement (Malcik 2012). Regardless of the field, it effectively hyper-personalizes “client-server” interactions. In law enforcement, that may mean more brutally efficient identification of suspects, either in a crowd or during a traffic stop; however, it’s still this which renders the technology so useful in different fields.

In personal security and commerce, one can lock their paypal or mobile banking apps with a facial recognition system (Spolaor 2016). And while the new Barclay’s-Hitachi project focused on authorizing corporate transactions with fingerprint scanners, it’s reasonable to assume facial recognition is a next step in such settings (Barclay’s). One can also see growing use, at least experimentally, in use of facial recognition to directly market to consumers. As seen in the Sony Pictures film Minority Report, face scanners can identify a shopper and deliver a customized shopping experience based on past visits or tracking profiles.

High Profile Uses

According to an article by Xfinity Apple’s iPhone X and Samsung’s Galaxy Note 8 and 9 are the most popular devices with facial recognition right now… In addition to Apple and Samsung, popular devices that offer this feature include Motorola Moto G6, OnePlus 6, Oppo Find X, Huawei Honor 7X, and LG G7 (China 2018). A common example of biometrics more specifically behavioral characteristics would be behavioral software. Google has the “Google Home”, Apple has the “Homepod”, and Amazon has their “Amazon Echo”. Each contain their own software that helps you with daily task like the weather or reminders Google having the Google Assistant, Apple having Siri, Amazon having Alexa, Samsung having Bixby, and Windows with Cortana.

Another application of biometric being used today according to EFF is The U.S. military has used iris scanning devices to identify detainees in Iraq and Afghanistan (Porter 2017). For example, the handheld biometrics recorder SEEK II allows military personnel to take iris scans, fingerprints, and face scans and port the data back to an FBI database in West Virginia in seconds, even in areas with low connectivity.

Aside from large companies like Google and Apple applying biometrics in our daily use we also have other parties using biometrics as well. Barclay’s a ritish bank company has done something interesting. An article by Planet Biometrics states Barclays has today unveiled its enhanced finger vein scanner, which will help businesses access their banking facilities securely. The Barclays Biometric Reader (BBR), developed in collaboration with Hitachi, uses infra-red technology to identify the user by scanning their unique finger vein patterns. Even more secure than a fingerprint, this innovation removes the need to remember PINs or passwords and eliminates the risk of PIN capture, identity fraud or sharing of account details.

An Advancement like this is definitely the next step in biometrics and is way more secure but you could see how one could argue how it’s and invasion of privacy. Another example is the Texas City Independent School District. TEA states The 2007 Texas Legislature passed Senate Bill 9 requiring fingerprint-based criminal background reviews for certain school employees in Texas Public schools. Then we have other parties like the Chinese Government.

In comparison the everything else previously mentioned the Chneses Government uses Biometric, the tech and data to it full potential. According to Paul Mozur in a New York Times article he states the Chinese government is using its face scan to crackdown on muslims. The many cameras in China are being used to scan and search for anyone with the resemblance of the muslim minority. Mozur states The facial recognition technology, which is integrated into China’s rapidly expanding networks of surveillance cameras, looks exclusively for Uighurs based on their appearance and keeps records of their comings and goings for search and review…its use to keep tabs on China’s 11 million Uighurs – a muslim minority. Not to ignore the fact that China’s people are also being kept under surveillance as well.

They keep tabs and make lists and group the people in groups that can vary from people with mental health issues or past records with drug use. The point in China is to have so much surveillance that they’ll know everything about everyone if you were to do something and by the time you were being arrested. In another article by HRW they state The Chinese government has been collecting the voice patterns of tens of thousands of people with little transparency about the program or laws regulating who can be targeted or how that information is going to be used.

Benefits and Tradeoffs

As we’ve said, there are some key benefits and tradeoffs involved here. On the plus side, this technology can help law enforcement find missing people, offer convenient and ideally secure access and authorization, and streamlining commerce (Mann 2017).

The drawbacks are pretty significant though. If one’s biometrics are stolen, they can’t be replaced the way a password can be. Given the high number of data breaches in recent years, this is a major problem (Mendelson 2018).

As seen in China, this technology can be abused to extreme degrees, even aiding in surveillance-assisted population control and genocide. In the US, we may see similar abuses, as we recently learned that the NSA was going far beyond it’s legally permitted arsenal of techniques to spy on American citizens.

Most widely reported in Western media has been the inherent bias in training datasets used with facial recognition. While the systems themselves are not biased, the training datasets often are, by merit of the number of faces of various ethnicities offered for comparison and collation (Porter 2017).

Current and Developing Policy and Legislation

With the reach and power facial recognition has, it is only a matter of time before it is abused and damage is done to the general population. This means that regulation of some kind is necessary to protect people from harm. Though government can be slow to respond to emerging issues, there has been discussion of the need for data privacy legislation as far back as 1890 when now-famous lawyers Warren and Brandeis discussed their thoughts on the right to privacy, including their views that the use of new inventions like photographs or even drawings of individuals violates that right (Warren & Brandeis 1890).

Fortunately, biometric privacy has been tackled by state legislatures in the U.S. as early as 2008 when Illinois passed the Biometric Information Privacy Act (BIPA) (Mendelson 2018). BIPA sets regulations of any private entity that handles physiological biometric information to ensure individuals are aware of how it will be used. Behavioral biometrics, like keystroke or gait, are not covered under BIPA. BIPA requires that private entities have a written policy for their use of biometric information, it requires these entities to inform people of the use of the information and get their consent for it, it requires they securely store and transmit this information as any other confidential information, it prevents them from profiting from this information or to share it without that person’s consent, and it requires them to destroy it when it no longer serves a purpose. BIPA gives individuals the right to sue any entity that violates these laws. The protections provided by BIPA have allowed individuals to better control and understand the use of their biometric information and has opened the door for many class action lawsuits over violations. BIPA was further strengthened in early 2019 as a result of Rosenbach v. Six Flags, when the Illinois Supreme Court determined that a violation of an individual’s rights under BIPA alone was sufficient to sue a private entity and there did not need to be any other adverse effect (Rosenbach v Six Flags 2019).

Since Illinois passed BIPA, Texas (2009) and Washington (2017) have followed with similar legislation, other states have bills soon to be in effect or pending. These bills provide many similar protections to BIPA, but they are generally considered weaker bills as they do not allow individuals to sue private entities, only the state attorney general.

All of these bills also make allowances for law enforcement or state agencies to utilize biometric identifiers without setting requirements for how it is used. This leaves many openings for abuse by government entities. Though local city governments have set policy on the use, or banning, of facial recognition, there are no major policies in place requiring specific use or oversight.

Bills to amend BIPA have been created that many critics say seek to cut its strength (Illinois SB303 2017-18). In 2016, House Bill 6074 was introduced that would remove photographs as a form of biometric information. While it did leave face geometry as biometric information it is usually derived from photographs and would be more difficult to oversee its usage. 2018 saw SB 3053. This bill would change the requirements for who must follow BIPA. It would no longer require entities to meet its requirements if they only used it for employment or security uses, did not sell or profit from the information, or if they protect the information in the same as or a safer manner than other confidential information. The most recent attempt at amending BIPA was SB 2134 in 2019. It would remove an individual’s right to action. This means that individuals would no longer be able to sue companies for violations of BIPA, only the Department of Labor and the State Attorney General would be able to. None of these bills ever came to a vote.

In 2016, the European Union passed the General Data Protection Regulation (GDPR) (EU 2018). The GDPR is designed to give individuals total control over their personal data, including biometric information, and took effect in 2018. The GDPR includes biometric information, both physiological and behavioral, as a “special category of personal data”(GDPR, Art. 9) and it’s use is prohibited unless certain criteria are met including if the individual gives their explicit consent for its use, if it is necessary to protect the interests of the individual when the individual is incapable of giving consent, if it is vital for legal claims, or other reasons. Furthermore, the GDPR allows individuals to remove their consent for their biometric information’s use at any time, to have their information deleted, and to lodge a complaint for any violations.

In 2018, California passed the California Consumer Privacy Act (CCPA) which was written in the footsteps of the GDPR and is seen as the first set of truly encompassing data privacy, including biometric information, laws in the US. It goes into effect on January 1^st, 2020. The CCPA grants California citizens many similar rights to what the GDPR gives citizens of the EU. They can request to see, delete, and take their data with them. It also requires private entities to offer California citizens easy access to inform the entity they cannot sell the information or to opt out of its collection entirely.

Washington had a similar bill to the CCPA moving through legislation in 2019 that would establish similar rules on the use and control of individual’s data (Ropek 2019). Though it successfully moved through the Senate it failed to come to vote on the House floor. There are hopes it may come back in 2020. “One of the most argued issues was the bill’s approach to the regulation of facial recognition software” (govtech.com),with critics saying it should be wholly outlawed due to its biases. It also did not make allowances for individuals to sue private entities over violations.

Policy Recommendations

In summation, biometrics and facial recognition data are not going away. Considering the permanence and personal nature of this form of authorization and matching, it’s imperative we take precautions in how this data is obtained and handled.

It should never be stored with regular user data. This information is of a specially privileged nature and must be protected under extreme scrutiny. Also, much like passwords, this information needs to be securely hashed.

Regarding governments and law enforcement, the present standards used with wiretapping and other court-ordered and warranted surveillance should be employed. In the United States, this obviously is a vague and overbroad field due to the PATRIOT Act; however, it’s the best we can do with the systems in place regarding government and LEO capabilities in the states.

As for ethnic bias, this requires independent, third-party oversight to ensure that common training datasets are well-representative of the population for the sake of accuracy, and not simply resting on proportionally available images from group to group.

On the corporate level, certain levels of hyper-attention to security must be legally mandated. While companies may not be profit-motivated to treat this data with extreme prejudice, hefty fines and possible indictments can take the place of such incentives. To this end, these companies cannot be exempted from the rules of legislation like BIPA, as they are seeking to accomplish.

When engaging with users, clear opt-out options must be available, or – better yet – opt-in. The users need to have control and agency over their personal data, but even moreso when biometrics are concerned. Again, the permanence of one’s face and fingerprints cannot be understated.

Until we can attain these ends though, it’s important for users to do their due diligence in understanding the data policies for devices and services they may use. It’s always important to know how to opt-out of any program’s data collection as well. And if one ever suspects their data has been mishandled, action can and should be taken through BIPA or it’s related laws.

References

Mann, M., & Smith, M. (2017). Automated Facial Recognition Technology: Recent Developments and Aproaches to Oversight. University of New South Wales Law Journal, 40(1), 121-145.
“Public Act 0994 95^th General Assembly” (http://www.ilga.gov/legislation/publicacts/95/095-0994.htm). www.ilga.gov.
“Federal court in Illinois rules Biometric Privacy Lawsuit Against Google Can Proceed” (https://www.illinoispolicy.org/federal-court-in-illinois-rules-biometric-privacy-lawsuit-agains-google-can-proceed/). Illinois Privacy. 2017-03-08
Schwartz, Adam (2018-04-10). “New Attack on the Illinois Biometric Privacy Act” (https://www.eff.org/deeplinks/2018/04/new-attack-illinois-biometric-privacy-act). Electronic Frontier Foundation.
“Facebook Users Win Class Cert. In Face Scan Privacy Row” (https://www.law360.com/articles/1034143/facebook-users-win-class-cert-in-face-scan-privacy-row). Law360. April 16, 2018
“Recent Illinois Appellate Court Ruling Could End the Recent Flood of Class Action Lawsuits Against Employers Under Illinois’ Biometric Information Privacy Act” (https://www.littler.com/publication-press/publication/recent-illinois-appellate-court-ruling-could-end-recent-flood-class). Littler Mendelson P.C. 2018-01-09
“Illinois SB3053 | 2017-2018 | 100^th General Assemby” (https://legiscan.com/IL/text/SB3053/id/1731625). LegiScan. Retrieved 2018-05-14
L.V. Astakhova (2013). The Concept of the Information-security Culture. South Ural State.
Spolaor (2016). Biometric Authentication Methods on Smartphones: A Survey. University of Padua. PsychNology Journal.
Lynch, Jennifer (2018) Face Off: Law Enforcement Use of Face Recognition Technology. (https://www.eff.org/wp/law-enforcement-use-face-recognition). Electronic Frontier Foundation.
Malcˇık (2012). Anatomy of Biometric Passports. Journal of Biomedicine and Biotechnology.
Schneider. Something You Know, Have, or Are. (http://www.cs.cornell.edu/courses/cs513/2005fa/NNLauthPeople.html). Cornell University
Wasserman (2019). Face/Off: High Speed Facial Tracking using the Viola Jones Method. (https://towardsdatascience.com/face-off-high-speed-facial-tracking-using-the-viola-jones-method-f9e0ba491c9f). TowardsDataScience.com
Barclays and Hitachi reveal next-generation finger vein scanner: Planet Biometrics News. (n.d.). Retrieved from https://www.planetbiometrics.com/article-details/i/10636/desc/barclays-and-hitachi-reveal-next-generation-finger-vein-scanner/.
China Collecting “Voice Pattern” Samples to Establish National Biometric Database. (2018, January 25). Retrieved from https://www.hrw.org/news/2017/10/22/china-voice-biometric-collection-threatens-privacy.
Mozur, P. (2019, April 14). One Month, 500,000 Face Scans: How China Is Using A.I. to Profile a Minority. Retrieved from https://www.nytimes.com/2019/04/14/technology/china-surveillance-artificial-intelligence-racial-profiling.html.
Porter, K. (n.d.). Biometrics and biometric data: What is it and is it secure? Retrieved from https://us.norton.com/internetsecurity-iot-biometrics-how-do-they-work-are-they-safe.html.
Sheard, N., Lynch, J., Hussain, S., Guariglia, M., Tsukayama, H., & Kelley, J. (2019, October 26). Iris Recognition. Retrieved from https://www.eff.org/pages/iris-recognition.
Texas Education Agency. (n.d.). Fingerprinting. Retrieved from https://tea.texas.gov/Texas_Educators/Certification/Fingerprinting.
Thakkar, D. (2018, August 15). Usage of Biometric Fingerprint Readers. Retrieved from https://www.bayometric.com/usage-biometric-fingerprint-readers/#:~:targetText=Primary objective of a fingerprint,to produce corresponding biometric template.
Facial Recognition on Phones – What Is It and How Does it Work? (n.d.). Retrieved from https://www.xfinity.com/hub/mobile/facial-recognition-on-phone#:~:targetText=Devices that offer facial recognition&targetText=In addition to Apple and,a combination of the two.
Garg (2015). A New Design Approach of Fuzzy Hashing Schemes for Fingerprints. Indraprastha Institute of Information Tech.
Ropek, L. (2019, April 19). Why Did Washington State’s Privacy Legislation Collapse? Retrieved from https://www.govtech.com/policy/Why-Did-Washington-States-Privacy-Legislation-Collapse.html.
Warren, S. D., & Brandeis, L. D. (1890). The Right to Privacy. Harvard Law Review, 4(5), 193. doi: 10.2307/1321160
Rosenbach v. Six Flags, IL (2019)
IL Gen. Assemb. 740 ILCS 14. (2008)
WA Leg. HB1493. Reg. Sess. 2017 (2017)
TX Leg. BC503. Reg. Sess. 2007 (2007)
European Union GDPR (2018)
CA Leg. SB1121 Reg. Sess. 2018 (2018)

Botnets: How Mirai Changed the Battlefield

I’d like to write about IoT devices as they relate to increasingly powerful botnet attacks, as seen in the Mirai takedowns. Almost overnight, we went from seeing small scale DDOS attacks on personal servers and small companies to some of the largest server farms on the planet being struck down. This topic obviously has several main components. The first is how Botnet’s fundamentally work. What they are, and how one builds and controls one. The second is the nature of IoT devices as they explode in popularity, and how default passwords and other facets of production leave innumerable (really tens of billions) of computers open to attack. Thirdly is the economic, military, and political ramifications of this all.

  I will look at the court records surrounding the Mirai case (turned out not to be some foreign power or intelligence entity, but rather 4 college kids in Alaska trying to corner the Minecraft server market where DDOS attacks are common), as well as several well-researched white papers on the problems of susceptible devices (particularly in SE Asia where almost all the Mirai-vulnerable network lies) and how these problems appear when the attacks and their purposes are scaled to the level of military and geopolitical actions. It is also my hope to reach a security expert or two for use as a primary source on the subject, so I may ask specific questions to fulfill my queries.

The Internet of Things (IoT) is the way of the future, but a lack of proper security has paved the way for new, powerful botnets to propagate around the world. From smart refrigerators to internet routers, the internet of things is comprised by countless interconnected devices intended for communications and convenience; however, a great many of these devices use default passwords and either don’t prompt the user to change them, or don’t allow it at all. This vulnerability has been exploited by malware developers to capture and control countless such devices in concert, and deploy their combined computing resources to enact devastating attacks. Mirai is just one of the malware tools used to create such botnets, but as it is one of the most effective to date, and heavily reported upon, it will be the focus of this paper.

First, let’s examine The Internet of Things. While definitions vary, we will be using that provided by IoT-focused consulting firm Gartner: The Internet of Things is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.” In the past decade, the number of these devices connected to the internet has skyrocketed in both industry and consumer markets. As the chart below from Cisco shows, the growth is now exponential. In fact, Cisco (2016) predicts 500 billion devices to be connected to the internet by 2030. For comparison, a paper by Steve Symanovich of Symantec (2017) put the 2016 number at 4.7 billion.

Another term we have to identify is DDOS or Distributed Denial of Service. This is a

kind of attack levied against servers by overloading them with traffic. A person is normally limited in such an attack by their own network bandwidth, but many devices across many networks can be orchestrated in parallel to add to the size of this.

And lastly, we have botnets. Botnets are networks made up of many computers or other internet-connected devices, operated from a “command and control” (C&C) unit. These are often employed by hackers for larger DDOS “payloads”, as described above, bitcoin mining, and other purposes.

While IoT devices have led to greater integration of new technology in people’s lives at work, home, and in transit, they have also opened the door to new attacks from malicious actors seeking to create botnets. Many of these devices ship with default passwords which are readily available on manufacturers websites, and some don’t even offer the ability to change these passwords to properly secure them from attack. These vulnerabilities are easily exploited by scripts which search for devices using a certain default password, then capture them for use in a C&C interface.   One of the most famous of these malware scripts, and the focus of this paper, is Mirai. Mirai came to the world’s attention with a DDOS attack on KrebsOnSecurity.com, a well-known cyber security blog. According to the US Dept of Homeland Security (2016), the

attack clocked in at over 620 Gbps, making it the largest DDOS attack on record at the time.

The malware continuously scans the internet for IoT devices using any of 62 common default passwords, and upon finding them, hacks them and co-opts their computing resources. Because of the weak passwords on these devices, this simple attack vector allows the user to control hundreds of thousands of IoT devices with relative ease. According to the US Dept of Homeland Security (2016), 380,000 devices were orchestrated in the attack on Krebs’ website.  Several months later, a much larger attack took place using the same Mirai malware. French web host OVH was brought down with a DDOS attack of a walloping 1.5 Tbps. Following this, webhost Dyn came under attack in the culmination of this chain of events (Ma 2017). Dyn provides DNS services to such popular entities as Amazon, Github, Netflix, Paypal, Reddit, and Twitter. When it was hit by Mirai, these services all became temporarily unavailable,

According to the US Dept of Homeland Security (2016), “the IoT devices affected in the [Krebs and OVH] Mirai incidents were primarily home routers, network-enabled cameras, and digital video recorders.” According to a whitepaper led by Zane Ma (2017), the botnet’s strongest presence is in Brazil and Southeast Asia, where cheap IoT devices are everywhere.

  These attacks showed a new level of “firepower” available to malicious hackers. This poses a significant threat in economic terms as well as general security in domestic and military realms. Such attacks can be mounted against supercomputers in specific politically motivated efforts, or can simply drain upon a nation’s resources as it scrambles to operate in the face of DDOS attacks and data theft.

Shortly after Mirai was developed, it was published online and made available to everyone, according to Buntz (2019). It didn’t take long before it was put to use for a variety of nefarious purposes, perhaps most notably being used to shut down nearly all of Liberia’s internet infrastructure.  Fortunately, Mirai is stored in volatile (dynamic) memory, and therefore can be eliminated with a simple reboot. After this reboot, it can be prevented by changing the default password. Unfortunately, many users either can’t or won’t do this, and it’s statistically unfeasible to expect this on any large enough scale. Much like vaccinations, this is a case where herd immunity is needed or everyone is at risk. The danger isn’t so much that one’s smart thermometer will be hacked and manipulated, but that thousands of just such devices will be hacked and turned towards larger targets.

Now, we have the “offspring” of Mirai at work. Microsoft Security Response Center (2019), reports on the “VPN-Filter” malware which not only affects IoT devices numbering in the hundreds of thousands, but ones which tend to be enterprise-based. The VPN-Filter, as it turns out, appears to be nation-state based. Its targets are primarily organizations in the fields of defense, government, military, IT, medicine, education, and engineering.  This is just one of the many variations which have emerged recently. Most every IoT malware is just a spin-off of

Mirai, and while there has yet to arise many avenues of monetizing these botnets, they have proliferated heavily throughout many different global communities (Trend Micro 2019).

Many of these communities seem more motivated by education and curiosity than profitable

cybercrime, but they’re actively testing and improving these tools — all of which are available to maliciously motivated attackers.

While most botnets aren’t effectively monetized, this motivation isn’t necessary for these state-level actors to find cause in disrupting an important network. Like dirty bombs, this is a weapon which is hard to control, and with which it is even harder to distinguish rogue actors from those secretly state sanctioned. And, as the world becomes increasingly digitized, the number of vulnerable IoT devices isn’t the only pressing concern. Computerized and networked systems control more and more aspects of our lives, and DDOS’d server systems can impact far more critical sectors than entertainment content-streaming.

As more state-level actors make use of these botnet “supercomputers”, it’ll be easier for more hackers to attack high-level targets whilst offering their employer culpable deniability. Hospitals, power grids, election databases, military installations, and so many more crucial parts of our infrastructure and security are suddenly at a new level of risk and exposure.

Xenotime (a.k.a. Triton actor) is a hacking group known for it’s 2017 cyberattack on an Saudi Arabian oil refinery (Wired 2019). They targeted equipment which monitors for leaks,

explosions, and other immediate safety issues, leading researchers to identify Xenotime as

“easily the most dangerous threat actively known.” Xenotime has now been found to be engaging in broad scans of the US power grid.

“Xenotime has probed the networks of at least 20 different US electric system targets, including every element of the grid from power generation plants to transmission stations to distribution stations. Their scanning ranged from searching for remote login portals to scouring networks for vulnerable features, such as the buggy version of Server Message Block exploited in the Eternal Blue hacking tool leaked from the NSA in 2017.” 

Not much is known in detail about the Xenotime hackers, but who they are or what motivates them is somewhat irrelevant. The fact of the matter is that they stand as a proof of concept in much the same way Mirai did. It shows what could, and likely will, happen in the near future. Hackers aren’t the type to leave valuable tools or targets on the table, and this is a ripe time for such actors.  The IoT isn’t going anywhere. It’s only going to become more ubiquitous. Therefore, we need to legislate proper password protocols in IoT devices as a matter of international security. Leaving the IoT open as a tool for the collection and deployment of botnets is akin to leaving weaponized nuclear materials in the wild – it’s tricky enough dealing with stable nations having that kind of power, let alone rogue actors with less predictable motivations and paths of action.

The Department of Homeland Security is already taking steps to push for more security incorporated in the design phase, as well as other important steps towards solving these glaring issues. The problem is that this can’t be solved on the national level. Even if we secure our IoT

devices, botnets can still be deployed with the swath of vulnerable units in SE Asia and South America.

While we presently lack the institutions to enforce this on an international level, that is what we’ll likely need. In essence, IEEE needs legislative backing on the global scale for us to ever counter this threat. If one is a nation-state, corporate, or other legitimate operation, this is

desirable. If one is a political dissident, cybercriminal, or other rogue actor then this is most undesirable.

By dealing with this problem efficiently and through international cooperation, we can set a healthy framework for addressing the myriad security issues likely to arise in the coming century of further digitization. The institutional tools we design to solve this can be applied to many other areas, specifically misconfiguration vulnerabilities, which account for 43% of data breaches (IBM X-Force 2019).

Mirai presents a pressing problem to global network security. The vulnerabilities which make Mirai and its offshoots possible allow for anyone to wield a powerful digital weapon with great anonymity. Without a concerted and coordinated effort on the part of governments and manufacturers, we will only see more dangerous versions of these malware employed for more and more dangerous means. With hospitals, power grids, and other critical infrastructure so heavily networked, we must treat IoT security with the same seriousness we approach other areas of national defense. While the Pentagon has certainly begun, it remains to be seen how effective

their long-term efforts are. With core decisions, such as who won their coveted “Jedi” cloud contract, being co-opted for apparent personal politics, the Pentagon itself may soon be under

penetrating fire by botnet actors (CNBC, Feuer 2019). It’s a new battlefield, and while Mirai didn’t create it, it has certainly changed it forever.          

Sources:
Cisco (2016). Internet of Things.

Click to access at-a-glance-c45-731471.pdf

Symantec Corporation (2019). The future of IoT: 10 predictions about the Internet of Things.

https://us.norton.com/internetsecurity-iot-5-predictions-for-the-future-of-iot.html

Ma (2017). Understanding the Mirai Botnet.

https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/46301.pdf

Buntz (2019). 6 IoT Security Reminders Three Years After Mirai.

6 IoT Security Reminders Three Years After Mirai

Hilt (2019). The Internet of Things in the Cybercrime Underground.

Click to access wp-the-internet-of-things-in-the-cybercrime-underground.pdf

Wired (2019). The Highly Dangerorus ‘Triton’ Hackers Have Probed the US Grid.

https://www.wired.com/story/triton-hackers-scan-us-power-grid/

Dragos (2019). Threat Proliferation in ICS Cybersecurity: XENOTIME Now Targeting Electric Sector, in

Addition to Oil and Gas.

https://dragos.com/blog/industry-news/threat-proliferation-in-ics-cybersecurity-xenotime-now-targeting-electric-sector-in-addition-to-oil-and-gas/  
Emergency and Disaster Management Digest (2016). IoT Security is Now a Matter of National

Security.

https://edmdigest.com/news/iot-security-is-now-a-matter-of-national-security/ 

 IBM X Force (2019). X-Force Threat Intelligence Index.

https://www.ibm.com/downloads/cas/ZGB3ERYD

CNBC (2019). Trump told Mattis to ‘screw Amazon’ out of $10 billion

Pentagon cloud contract, insider account claims

https://www.cnbc.com/2019/10/26/trump-mattis-screw-amazon-10-billion-pentagon-cloud-contract-jedi.html

Introduce Yourself (Example Post)

This is an example post, originally published as part of Blogging University. Enroll in one of our ten programs, and start your blog right.

You’re going to publish a post today. Don’t worry about how your blog looks. Don’t worry if you haven’t given it a name yet, or you’re feeling overwhelmed. Just click the “New Post” button, and tell us why you’re here.

Why do this?

Because it gives new readers context. What are you about? Why should they read your blog?
Because it will help you focus you own ideas about your blog and what you’d like to do with it.

The post can be short or long, a personal intro to your life or a bloggy mission statement, a manifesto for the future or a simple outline of your the types of things you hope to publish.

To help you get started, here are a few questions:

Why are you blogging publicly, rather than keeping a personal journal?
What topics do you think you’ll write about?
Who would you love to connect with via your blog?
If you blog successfully throughout the next year, what would you hope to have accomplished?

You’re not locked into any of this; one of the wonderful things about blogs is how they constantly evolve as we learn, grow, and interact with one another — but it’s good to know where and why you started, and articulating your goals may just give you a few other post ideas.

Can’t think how to get started? Just write the first thing that pops into your head. Anne Lamott, author of a book on writing we love, says that you need to give yourself permission to write a “crappy first draft”. Anne makes a great point — just start writing, and worry about editing it later.

When you’re ready to publish, give your post three to five tags that describe your blog’s focus — writing, photography, fiction, parenting, food, cars, movies, sports, whatever. These tags will help others who care about your topics find you in the Reader. Make sure one of the tags is “zerotohero,” so other new bloggers can find you, too.