Security Market Segment LS
Tuesday, 03 September 2019 15:49

Pluralsight Live speakers: roll your own penetration testing tool; protect IoT devices

By

IT vendors' conferences typically focus on the host company's products and services. Training platform provider Pluralsight takes a different approach by including presentations by subject matter experts.

Two such sessions that caught iTWire's eye were both security related.

Pluralsight author Dale Meredith saw a commercial 'mobile hacking kit' selling for around US$750, but realised it was built around a Raspberry Pi and that the hardware could be assembled for around US$200, even when using the newer Raspberry Pi 4B. While the 4B is more capable, the downside is that case manufacturers are still catching up with the rearranged port locations, so you can choose between modifying an old design with a Dremel tool to carve out an opening, or waiting for a redesigned case, he said.

Other items required and included in the US$200 budget are a 7in touchscreen, keyboard, microSD card, and a power supply. The software needed for the kit is Kali Linux, a distro specifically designed for penetration testing.

Meredith noted that a battery pack provides around 36 hours operation, which provides enough time to capture a significant amount of Wi-Fi data if a Raspberry Pi based sniffer is left on the target premises, possibly disguised as a device that should be there, such as a carbon dioxide sensor.

Security professionals can also make good use of Raspberry Pi based pico clusters, which are available off the shelf with three, five, ten or 48 CPUs, he said. This makes it possible to run (for example) Linux, Windows 10 IoT, Android and Docker Swarm all in one relatively inexpensive box.

AgilePQ chief cryptographer David Gotrik looked at the security issues around IoT devices.

IoT has been adopted more quickly than any technology in history. It is predicted that 20 billion devices will be deployed this year, but many of then are resource constrained to the point that they are incapable of implementing standard security techniques, even if the developers wanted to do so, he observed. Some don't even have the horsepower to send or receive encrypted data.

More than 90% of IoT devices (and they already account for about half of all devices, with forecasts suggesting that will rise to around four fifths by 2023 as "nearly every industry is doing something with IoT") have been operating practically no security, said Gotrik.

Yet IoT devices often transfer critical, personal or proprietary data, whether that's as simple as the make and model of the device, or an indication of when premises are unattended.

Huge amounts of data will be collected from IoT devices, and it deserves to be protected.

IoT insecurity involves more than just data loss. In 2016, Mirai co-opted large numbers of devices into a botnet used for DDoS attacks simply by using the default usernames and passwords to install the malware.

Malware can be installed and launched within six minutes of a vulnerable IoT device being exposed to the internet, and such devices are probed around 800 times an hour.

Not all of the sources of vulnerability are easily addressed, he warned. There is pressure to keep hardware costs low, and a reluctance to spend more in order to improve security. In some cases, low power consumption is a key consideration (eg, so a device can run for many months on one battery), and the processing needed to calculate a hash for security purposes significantly adds to the power consumption.

Other issues are the lack of security expertise within vendors, a lack of leadership in this part of the IT industry, the use of proprietary protocols, and "security as an afterthought" (a reference to the situation where boards are designed and fabricated before security requirements are considered).

Customers and potential customers can help by ensuring that decisionmakers are educated about the issues, refusing to settle for 'good enough', and by reacting before – not after – a problem occurs.

Unfortunately, "there's not a lot an individual consumer can do" if a manufacturer hasn't provided the necessary facilities such as being able to enable encryption and change the default username and password, he warned. But some measures – such as connecting IoT devices to the guest Wi-Fi network rather than the main network, and installing a good firewall – do provide a degree of protection.

Disclosure: The writer attended Pluralsight Live as a guest of the company.

BUSINESS WORKS BETTER WITH WINDOWS 1O. MAKE THE SHIFT

You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer

Timezones

QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.

REGISTER!

ADVERTISE ON ITWIRE NEWS SITE & NEWSLETTER

iTWire can help you promote your company, services, and products.

Get more LEADS & MORE SALES

Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]

OR CLICK HERE!

Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments