Jeff Katz from KIWI discusses topics relating to Privacy and Security in the Internet of Things. What you should do, what you should never do, and what to avoid becoming. From the IoT Conference September 2015 in Berlin
IoT Security Middleware: evaluating the threats and protecting against themNick Allott
Brief introduction to the security threats relating to Internet of Things (IOT) and some techniques pot protect against them.
Presented at SetSquared event: The Internet of Threats: start-up opportunities in IoT security 7/10/2015
Internet of things are exploding. This whitepaper would help product developers to understand the Security and Privacy issues, their impact and a recommendation for embedding the best practices during PDLC.
Yesterday Pierluigi Paganini, CISO Bit4Id and founder Security Affairs, presented at the ISACA Roma & OWASP Italy conference the state of the art for the Internet of Things paradigm. The presentation highlights the security and privacy issues for the Internet of Things, a technology that is changing user’s perception of the technology.
"Cybersecurity - Current Landscape and Future Challenges", Anish Mohammed, Le...Dataconomy Media
"Cybersecurity - Current Landscape and Future Challenges", Anish Mohammed, Lead Security Architect At Lloyds Bank Group
Watch more from Data Natives Berlin 2016 here: http://bit.ly/2fE1sEo
Visit the conference website to learn more: www.datanatives.io
Follow Data Natives:
https://www.facebook.com/DataNatives
https://twitter.com/DataNativesConf
Stay Connected to Data Natives by Email: Subscribe to our newsletter to get the news first about Data Natives 2017: http://bit.ly/1WMJAqS
About the Author:
Anish has been working in the security and cryptography area for the past 15 years, as a researcher and as a consultant. His first brush with payments systems was 15 years ago when he was involved in building a micropayments system for Ericsson. He has spent half his career researching cryptographic algorithms and protocols at three different research groups including Microsoft Research. He also has published multiple papers in the area of security and cryptography and contributed to thought leadership in security space, through guides, POV, white papers and talks. He has also worked as a strategy consultant for Accenture and Capgemini. Most recently he has been involved in the Blockchain ecosystem as one of the founding members of UKDCA . He is also on the advisory board for Ripple Labs, IEET, EA ventures, Adjoint and Chain of Things. These days he works for large UK bank where he is lead security architect.
Approaches to Security and Privacy when developing new Internet of Things (IoT) and Big Data Analytics products presented at WaveFront Summits, Ottawa, 2015
IoT Security Middleware: evaluating the threats and protecting against themNick Allott
Brief introduction to the security threats relating to Internet of Things (IOT) and some techniques pot protect against them.
Presented at SetSquared event: The Internet of Threats: start-up opportunities in IoT security 7/10/2015
Internet of things are exploding. This whitepaper would help product developers to understand the Security and Privacy issues, their impact and a recommendation for embedding the best practices during PDLC.
Yesterday Pierluigi Paganini, CISO Bit4Id and founder Security Affairs, presented at the ISACA Roma & OWASP Italy conference the state of the art for the Internet of Things paradigm. The presentation highlights the security and privacy issues for the Internet of Things, a technology that is changing user’s perception of the technology.
"Cybersecurity - Current Landscape and Future Challenges", Anish Mohammed, Le...Dataconomy Media
"Cybersecurity - Current Landscape and Future Challenges", Anish Mohammed, Lead Security Architect At Lloyds Bank Group
Watch more from Data Natives Berlin 2016 here: http://bit.ly/2fE1sEo
Visit the conference website to learn more: www.datanatives.io
Follow Data Natives:
https://www.facebook.com/DataNatives
https://twitter.com/DataNativesConf
Stay Connected to Data Natives by Email: Subscribe to our newsletter to get the news first about Data Natives 2017: http://bit.ly/1WMJAqS
About the Author:
Anish has been working in the security and cryptography area for the past 15 years, as a researcher and as a consultant. His first brush with payments systems was 15 years ago when he was involved in building a micropayments system for Ericsson. He has spent half his career researching cryptographic algorithms and protocols at three different research groups including Microsoft Research. He also has published multiple papers in the area of security and cryptography and contributed to thought leadership in security space, through guides, POV, white papers and talks. He has also worked as a strategy consultant for Accenture and Capgemini. Most recently he has been involved in the Blockchain ecosystem as one of the founding members of UKDCA . He is also on the advisory board for Ripple Labs, IEET, EA ventures, Adjoint and Chain of Things. These days he works for large UK bank where he is lead security architect.
Approaches to Security and Privacy when developing new Internet of Things (IoT) and Big Data Analytics products presented at WaveFront Summits, Ottawa, 2015
The growth of IoT is occurring at an incredible rate, justly raising alarms about IoT security and IoT privacy issues as we become increasingly reliant on these intelligent, interconnected devices in our lives and businesses. How are we to protect billions of devices from attacks and intrusions that could compromise our personal privacy, public safety, or business viability? Building an IoT solution involves securing sensors, devices, networks, cloud platforms, web applications, and mobile applications for diverse industries. This presentation examines the landscape of emerging security challenges posed by connected devices and offers a catalog of security deployment patterns that have been successfully used by some of the worlds most well known OEMs to deploy connected product fleets.
IoT Security – Executing an Effective Security Testing Process EC-Council
Deral Heiland CISSP, serves as a the Research Lead (IoT) for Rapid7. Deral has over 20 years of experience in the Information Technology field, and has held multiple positions including: Senior Network Analyst, Network Administrator, Database Manager, Financial Systems Manager and Senior Information Security Analyst. Over the last 10+ years Deral’s career has focused on security research, security assessments, penetration testing, and consulting for corporations and government agencies. Deral also has conducted security research on a numerous technical subjects, releasing white papers, security advisories, and has presented the information at numerous national and international security conferences including Blackhat, Defcon, Shmoocon, DerbyCon, RSAC, Hack In Paris. Deral has been interviewed by and quoted by several media outlets and publications including ABC World News Tonight, BBC, Consumer Reports, MIT Technical Review, SC Magazine, Threat Post and The Register.
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesDenim Group
IoT devices are proliferating throughout corporate networks raising concerns about security risks they may introduce. However, IoT technologies differ in many ways from most enterprise-ready technologies that currently exist. Understanding the risks that IoT represents and how to best quantify that risk can be a challenge for many security leaders. This webinar provides an overview of IoT architectures, how they differ from existing infrastructure devices, and how best to measure the risk IoT devices represent. It will expose attendees to concepts like Threat Modeling for IoT and provide additional references that will help build a successful IoT security assessment program.
Research presentation for IoT/M2M security
- Paper: Distributed Capability-based Access Control for the Internet of Things
- Security solution in open source IoT platform (OM2M, AllJoyn)
IoT security compliance framework is essential to ensure IoT security. Here is a complete iot security audit checklist for ensuring security of IoT Devices in real time. know more here : https://www.qwentic.com/blog/iot-security-compliance-checklist
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
In a world where convenience is key, consumers are adopting every new connected device that hits the shelves - and doing so with the assumption that due diligence security has been considered. But recent IoT attacks suggest otherwise.
As organizations migrate from a primarily offline to online business model, they are failing to consider IoT’s unique threats which traditional solutions are unable to secure. As a result, steps must be taken to ensure that the device, connections and infrastructure are hardened, especially software which runs IoT devices and is the source of ~90% of attacks.
This webinar is ideal for risk, technology, and security professionals that want to understand why a hacker would want to attack their “harmless” IoT device and what the stealth risk to their organization and consumers is.
Topics covered include:
- IoT security – why it’s so different….and tough
- The IoT ecosystem and attack surface
- Managing liability - IoT risks to consumers and vendors
- Auditing IoT software development
IoT Systems provide powerful, flexible features for IT systems — tracking, monitoring, and other data sharing. Today’s IoT devices utilize microservices and APIs that make them easy to put into production. But securing them isn’t as easy.
This webinar will look at security risks of IoT devices, interfaces, and implementations. We’ll provide practical steps and checklists any DevOps team can use to make their IoT components as secure as possible. We’ll also cover some testing best practices that can be done pre- and post-production to verify security and resilience on an ongoing basis.
Modern Cyber Threat Protection techniques for EnterprisesAbhinav Biswas
Presentation delivered for Management Development Programme on "Information and Cyber Security" at Institute of Public Enterprise, Hyderabad on 12th September, 2015.
A presentation given at the Glasgow Caledonian University, Digital Forensics Student Conference in 2014 discussing some of the technical challenges we face in cyber forensics and possible research areas.
Privacy on the Series of Tubes of ThingsEFF-Austin
Created and presented by Todd Manning for the EFF-Austin Meetup on November 17, 2014 at Capital Factory in Austin, Texas.
https://www.youtube.com/watch?v=OiLpe3--ZB8
The growth of IoT is occurring at an incredible rate, justly raising alarms about IoT security and IoT privacy issues as we become increasingly reliant on these intelligent, interconnected devices in our lives and businesses. How are we to protect billions of devices from attacks and intrusions that could compromise our personal privacy, public safety, or business viability? Building an IoT solution involves securing sensors, devices, networks, cloud platforms, web applications, and mobile applications for diverse industries. This presentation examines the landscape of emerging security challenges posed by connected devices and offers a catalog of security deployment patterns that have been successfully used by some of the worlds most well known OEMs to deploy connected product fleets.
IoT Security – Executing an Effective Security Testing Process EC-Council
Deral Heiland CISSP, serves as a the Research Lead (IoT) for Rapid7. Deral has over 20 years of experience in the Information Technology field, and has held multiple positions including: Senior Network Analyst, Network Administrator, Database Manager, Financial Systems Manager and Senior Information Security Analyst. Over the last 10+ years Deral’s career has focused on security research, security assessments, penetration testing, and consulting for corporations and government agencies. Deral also has conducted security research on a numerous technical subjects, releasing white papers, security advisories, and has presented the information at numerous national and international security conferences including Blackhat, Defcon, Shmoocon, DerbyCon, RSAC, Hack In Paris. Deral has been interviewed by and quoted by several media outlets and publications including ABC World News Tonight, BBC, Consumer Reports, MIT Technical Review, SC Magazine, Threat Post and The Register.
Understanding IoT Security: How to Quantify Security Risk of IoT TechnologiesDenim Group
IoT devices are proliferating throughout corporate networks raising concerns about security risks they may introduce. However, IoT technologies differ in many ways from most enterprise-ready technologies that currently exist. Understanding the risks that IoT represents and how to best quantify that risk can be a challenge for many security leaders. This webinar provides an overview of IoT architectures, how they differ from existing infrastructure devices, and how best to measure the risk IoT devices represent. It will expose attendees to concepts like Threat Modeling for IoT and provide additional references that will help build a successful IoT security assessment program.
Research presentation for IoT/M2M security
- Paper: Distributed Capability-based Access Control for the Internet of Things
- Security solution in open source IoT platform (OM2M, AllJoyn)
IoT security compliance framework is essential to ensure IoT security. Here is a complete iot security audit checklist for ensuring security of IoT Devices in real time. know more here : https://www.qwentic.com/blog/iot-security-compliance-checklist
IoT Security: Debunking the "We Aren't THAT Connected" MythSecurity Innovation
In a world where convenience is key, consumers are adopting every new connected device that hits the shelves - and doing so with the assumption that due diligence security has been considered. But recent IoT attacks suggest otherwise.
As organizations migrate from a primarily offline to online business model, they are failing to consider IoT’s unique threats which traditional solutions are unable to secure. As a result, steps must be taken to ensure that the device, connections and infrastructure are hardened, especially software which runs IoT devices and is the source of ~90% of attacks.
This webinar is ideal for risk, technology, and security professionals that want to understand why a hacker would want to attack their “harmless” IoT device and what the stealth risk to their organization and consumers is.
Topics covered include:
- IoT security – why it’s so different….and tough
- The IoT ecosystem and attack surface
- Managing liability - IoT risks to consumers and vendors
- Auditing IoT software development
IoT Systems provide powerful, flexible features for IT systems — tracking, monitoring, and other data sharing. Today’s IoT devices utilize microservices and APIs that make them easy to put into production. But securing them isn’t as easy.
This webinar will look at security risks of IoT devices, interfaces, and implementations. We’ll provide practical steps and checklists any DevOps team can use to make their IoT components as secure as possible. We’ll also cover some testing best practices that can be done pre- and post-production to verify security and resilience on an ongoing basis.
Modern Cyber Threat Protection techniques for EnterprisesAbhinav Biswas
Presentation delivered for Management Development Programme on "Information and Cyber Security" at Institute of Public Enterprise, Hyderabad on 12th September, 2015.
A presentation given at the Glasgow Caledonian University, Digital Forensics Student Conference in 2014 discussing some of the technical challenges we face in cyber forensics and possible research areas.
Privacy on the Series of Tubes of ThingsEFF-Austin
Created and presented by Todd Manning for the EFF-Austin Meetup on November 17, 2014 at Capital Factory in Austin, Texas.
https://www.youtube.com/watch?v=OiLpe3--ZB8
Embedded computing is everywhere. It is in our car engines, refrigerators, and even in the singing greeting cards we send. With improvements in wireless technology, these systems are starting to talk with each other, and they are appearing in places like our shoes and wrists to monitor our athletic activity or health. This emerging Internet of Everything (IoE) has tremendous potential to improve our lives. But like any powerful technology, it also has a dark side: it will observe and implement many of our actions. Security in the IoE is likely to be even more critical than general Internet security. After reviewing some of the challenges in creating a secure IoE, Horowitz will describe a new research program at Stanford to address this issue.
APrIGF 2015: Security and the Internet of ThingsAPNIC
Adli Wahid addresses the current cybersecurity issues seen with the growth of the Internet of Things at the 2015 Asia Pacific Regional Internet Governance Forum (APrIGF) in Macao.
A seminar presentation on Open Source by Ritwick Halder - a computer science engineering student at Academy Of Technology, West Bengal, India - 2013
Personal Website - www.ritwickhalder.com
Privacy and Security in the Internet of Things / Конфиденциальность и безопас...Positive Hack Days
Ведущий: Джефф Кац
По прогнозам Cisco, в этом году 25 млрд устройств будут подключены к интернету, а к 2020 году число увеличится вдвое. Планируя разработку решения в сфере Интернета вещей (IoT), вы должны подумать о том, что в один прекрасный день к вам нагрянет ФСБ . Вопрос безопасности пользователей нужно продумать заранее, не следует откладывать его на потом. Докладчик расскажет, как использовать преимущества IoT-продуктов, не ущемляя личных прав ваших клиентов. Доклад сопровождается примерами услуг, в которых конфиденциальность и безопасность были обеспечены в начале разработки.
This Time, It’s Personal: Why Security and the IoT Is DifferentJustin Grammens
Unfortunately, in recent years we’ve seen a host of incidences where IoT devices were compromised. Sometimes these have been minor with little coverage, while others like Mirai affected millions around the globe a produced serious economic impact. When attacks like this occur, they not only erode the trust of the users of these devices, but cause those who are looking to adopt this new technology to pause. With any new technology, security must be thought of as a first class citizen and when we are talking about IoT, the data is personal. As the IoT matures, I’ll share some mistakes that have happened in the past, where we are today and how I believe we are now finally seeing a maturity of devices that are remotely updated, fault tolerant and secure. When it comes to building an IoT device, security is personal.
A Reference Architecture for IoT: How to create a resilient, secure IoT cloudWSO2
Paul Fremantle, CTO & Co-Founder of WSO2 delivered a talk at IoT World Forum in London titled "A Reference Architecture for IoT: How to create a resilient, secure IoT cloud".
The talk discussed how the world is moving from thousands of connected clients to millions of connected devices; and how we are moving from a known security perimeter to an almost infinite attack space. Scalable and secure architecture enables IoT to succeed and Paul elaborated what such an architecture should look like, and how major companies have implemented this using best of breed Open Source components.
Refugees on Rails Berlin - #2 Tech Talk on SecurityGianluca Varisco
#2 Tech Talk on Security @ Refugees on Rails Berlin (Tue 8 Dec 2015)
A Cyber Security walk-through focused on current threats, trends and few predictions for 2016.
Speaking at John Carrol University on the Internet of ThingsJustin Grammens
I was honored to have been invited to speak at John Carroll University on “The Internet of Things - Making the Physical World Smarter.” It was an extremely fun and engaging audience and I enjoyed every minute of the presentation. I hope you enjoy it as well and please don't hesitate to reach out with any questions.
V Międzynarodowa Konferencja Naukowa Nauka o informacji (informacja naukowa) w okresie zmian Innowacyjne usługi informacyjne. Wydział Dziennikarstwa, Informacji i Bibliologii Katedra Informatologii, Uniwersytet Warszawski, Warszawa, 15 – 16 maja 2017
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...APNIC
APNIC Senior Security Specialist Adli Wahid provides some useful findings of lessons learned from security incidents at the UMS Cybersecurity Awareness Seminar, held online on 25 October 2021.
Spirent: The Internet of Things: The Expanded Security Perimeter Sailaja Tennati
IoT: The Expanded Security Perimeter as presented at
SecCon 2015 in San Jose, CA addresses the increased security challenges associated with the proliferation of smart devices.
My Mike Jack, Sr. Manager, Security and Applications
Presented by Paul Wilson, Director General of APNIC and Chair of APrIGF Multistakeholder Steering Group at the Asia Pacific Internet Leadership Program as part of 2016 APrIGF Taipei
Beyond the Scan: The Value Proposition of Vulnerability AssessmentDamon Small
Vulnerability Assessment is, by some, regarded as one of the least “sexy” capabilities in information security. However, it is the presenter’s view that it is also a key component of any successful infosec program, and one that is often overlooked. Doing so serves an injustice to the organization and results in many missed opportunities to help ensure success in protecting critical information assets. The presenter will explore how Vulnerability Assessment can be leveraged “Beyond the Scan” and provide tangible value to not only the security team, but the entire business that it supports.
100 years ago the world was revolutionized when we could turn air into bread. New technologies allow us to perform miracles--if only we can be imaginative enough.
The Internet of Things is coming... and if it stays how it is today, it will be a complete nightmare when it arrives. Different groups are attempting to address the shortcomings, but they all suffer from various shortcomings.
2018: Overview of Berlin Hardware Past, Present, and FutureJeff Katz
Berlin was historically a place for building and manufacturing things. Today, it's the center of a lively and growing hardware startup community. But what will the next steps be?
Much like the flying car, people have been dreaming about the smart home for centuries. We're at the point now where technology can support it, but for some reason it's just not there...
Unlocking Western Retail Markets for your HardwareJeff Katz
Targeting China, this presentation is an overview of what needs to be considered when launching a product for end consumers in a western market. Simple do's and don'ts are supplanted with real world examples and important advice.
Poised to be the next great technological boom, the Internet of Things has been astronomically hyped. Unfortunately, when it comes to the Smart Home, today we've got more Jucero than Jetsons. To live up to it's name, the Smart Home needs to become invisible.
Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...Subhajit Sahu
Abstract — Levelwise PageRank is an alternative method of PageRank computation which decomposes the input graph into a directed acyclic block-graph of strongly connected components, and processes them in topological order, one level at a time. This enables calculation for ranks in a distributed fashion without per-iteration communication, unlike the standard method where all vertices are processed in each iteration. It however comes with a precondition of the absence of dead ends in the input graph. Here, the native non-distributed performance of Levelwise PageRank was compared against Monolithic PageRank on a CPU as well as a GPU. To ensure a fair comparison, Monolithic PageRank was also performed on a graph where vertices were split by components. Results indicate that Levelwise PageRank is about as fast as Monolithic PageRank on the CPU, but quite a bit slower on the GPU. Slowdown on the GPU is likely caused by a large submission of small workloads, and expected to be non-issue when the computation is performed on massive graphs.
Opendatabay - Open Data Marketplace.pptxOpendatabay
Opendatabay.com unlocks the power of data for everyone. Open Data Marketplace fosters a collaborative hub for data enthusiasts to explore, share, and contribute to a vast collection of datasets.
First ever open hub for data enthusiasts to collaborate and innovate. A platform to explore, share, and contribute to a vast collection of datasets. Through robust quality control and innovative technologies like blockchain verification, opendatabay ensures the authenticity and reliability of datasets, empowering users to make data-driven decisions with confidence. Leverage cutting-edge AI technologies to enhance the data exploration, analysis, and discovery experience.
From intelligent search and recommendations to automated data productisation and quotation, Opendatabay AI-driven features streamline the data workflow. Finding the data you need shouldn't be a complex. Opendatabay simplifies the data acquisition process with an intuitive interface and robust search tools. Effortlessly explore, discover, and access the data you need, allowing you to focus on extracting valuable insights. Opendatabay breaks new ground with a dedicated, AI-generated, synthetic datasets.
Leverage these privacy-preserving datasets for training and testing AI models without compromising sensitive information. Opendatabay prioritizes transparency by providing detailed metadata, provenance information, and usage guidelines for each dataset, ensuring users have a comprehensive understanding of the data they're working with. By leveraging a powerful combination of distributed ledger technology and rigorous third-party audits Opendatabay ensures the authenticity and reliability of every dataset. Security is at the core of Opendatabay. Marketplace implements stringent security measures, including encryption, access controls, and regular vulnerability assessments, to safeguard your data and protect your privacy.
Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...pchutichetpong
M Capital Group (“MCG”) expects to see demand and the changing evolution of supply, facilitated through institutional investment rotation out of offices and into work from home (“WFH”), while the ever-expanding need for data storage as global internet usage expands, with experts predicting 5.3 billion users by 2023. These market factors will be underpinned by technological changes, such as progressing cloud services and edge sites, allowing the industry to see strong expected annual growth of 13% over the next 4 years.
Whilst competitive headwinds remain, represented through the recent second bankruptcy filing of Sungard, which blames “COVID-19 and other macroeconomic trends including delayed customer spending decisions, insourcing and reductions in IT spending, energy inflation and reduction in demand for certain services”, the industry has seen key adjustments, where MCG believes that engineering cost management and technological innovation will be paramount to success.
MCG reports that the more favorable market conditions expected over the next few years, helped by the winding down of pandemic restrictions and a hybrid working environment will be driving market momentum forward. The continuous injection of capital by alternative investment firms, as well as the growing infrastructural investment from cloud service providers and social media companies, whose revenues are expected to grow over 3.6x larger by value in 2026, will likely help propel center provision and innovation. These factors paint a promising picture for the industry players that offset rising input costs and adapt to new technologies.
According to M Capital Group: “Specifically, the long-term cost-saving opportunities available from the rise of remote managing will likely aid value growth for the industry. Through margin optimization and further availability of capital for reinvestment, strong players will maintain their competitive foothold, while weaker players exit the market to balance supply and demand.”
As Europe's leading economic powerhouse and the fourth-largest hashtag#economy globally, Germany stands at the forefront of innovation and industrial might. Renowned for its precision engineering and high-tech sectors, Germany's economic structure is heavily supported by a robust service industry, accounting for approximately 68% of its GDP. This economic clout and strategic geopolitical stance position Germany as a focal point in the global cyber threat landscape.
In the face of escalating global tensions, particularly those emanating from geopolitical disputes with nations like hashtag#Russia and hashtag#China, hashtag#Germany has witnessed a significant uptick in targeted cyber operations. Our analysis indicates a marked increase in hashtag#cyberattack sophistication aimed at critical infrastructure and key industrial sectors. These attacks range from ransomware campaigns to hashtag#AdvancedPersistentThreats (hashtag#APTs), threatening national security and business integrity.
🔑 Key findings include:
🔍 Increased frequency and complexity of cyber threats.
🔍 Escalation of state-sponsored and criminally motivated cyber operations.
🔍 Active dark web exchanges of malicious tools and tactics.
Our comprehensive report delves into these challenges, using a blend of open-source and proprietary data collection techniques. By monitoring activity on critical networks and analyzing attack patterns, our team provides a detailed overview of the threats facing German entities.
This report aims to equip stakeholders across public and private sectors with the knowledge to enhance their defensive strategies, reduce exposure to cyber risks, and reinforce Germany's resilience against cyber threats.
1. Jeff Katz | KIWI
Privacy and Security in the Internet
of Things
2. Agenda
• A bit about me
• Privacy and Data Collection
• Security and Data Protection
• Guidelines
• Example
• Questions
3. A small bio
• Embedded Engineer, hardware and
software (but also backend, mobile,
frontend, web...)
• Developed hardware to break Nintendo
DS copy protection
• 7+ Years in Physical Access Control
Industry
• VP Engineering, KIWI (more at
kraln.com)
5. Privacy
• Ability to preclude information from
being shared or communicated
• What is sensitive changes over time
• What is private changes over time
• Remember: Anonymized data isn’t 1
1 Ohm, Paul, Broken Promises of Privacy: Responding to the Surprising Failure of
Anonymization (August 13, 2009). UCLA Law Review, Vol. 57, p. 1701, 2010; U of
Colorado Law Legal Studies Research Paper No. 9-12. Available at
SSRN: http://ssrn.com/abstract=1450006
6. Data Collection
• Don’t collect data you don’t need
• Don’t use services that collect data in
order to provide your product or service
• Avoid unintentional information leakage
• Data is a double-edged sword
• Pretend everything will become public!
7. Example: Smart Thermostat
• What you want
– House temperature auto-adjusts
– House is warm when you come home
– Less energy usage
• What you get leak
– Knowledge about where other people are
– When you are on vacation
– Location information collected by
background service on your phone
8. A designer knows he has
achieved perfection not when
there is nothing left to add, but
when there is nothing left to
take away.
Antoine de Saint-Exupery
9. Example: Smart Power Meter
• What you want
– Power usage over time
– Optimize grid
– Easy metering
• What you get leak
– When people are home
– What is being watched on TV
– Ability to remotely kill power1
1 http://www.sciencedirect.com/science/article/pii/S1877050915008492
10. But we’re the good guys!
• Security breaches
• Government intrusion
• Corporate sale
Information you collect, even with the best
of intentions, can be used against you
and your customers.
11. Security breaches
• Any data you have can &
will be used against you
• The more data you have,
the more valuable you
are as a target
• Large or small scale
possible
• Matter of when, not if!
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
12. Example: Smart Lock
• What you want
– Lock works with cellphone over Bluetooth
– List of people who come and go, and when
– No need for metal keys anymore
• What you everyone gets
– List of people who come and go, and when
– Ability to drain battery, lock people out of
their houses
14. Corporate sale
• Barclays bank tells 13 million customers it is to start selling information
on their spending habits to other companies
http://www.theguardian.com/business/2013/jun/24/barclays-bank-sell-customer-data
• Bell faces $750M lawsuit over allegedly selling customer data
http://www.cbc.ca/news/canada/windsor/bell-faces-750m-lawsuit-over-allegedly-
selling-customer-data-1.3037545
• “RadioShack Corp. won court approval to sell data on about 67 million
customers in a $26.2 million deal for assets that also includes the
bankrupt electronics retailer’s name.”
http://www.bloomberg.com/news/articles/2015-05-20/radioshack-receives-approval-
to-sell-name-to-standard-general
15. Security
• The internet is radioactive ☢
• Wireless communications are radioactive ☢
• Users are very radioactive ☢
• Minimize your exposure!
• Strong encryption is your radiation shielding!
• Keep your business-critical data, and your
user’s data, as far away from the danger as
possible
16. Example: LIFX
• What you want
– App to control lightbulb
– Easy set up, wireless control
• What you get
– Mesh-network “encrypted” with keys sent
in plain-text
– WIFI password broadcast unencrypted
http://www.contextis.com/resources/blog/hacking-internet-connected-light-bulbs/
17. Medical Devices: Myth
• High standards mean high quality
• Enable doctors to work remotely
• Security vulnerabilities do not exist, or
even if they did, they would not cause
problems
• Medical devices are always airgapped
18. Medical Devices: Reality
• High standards mean lots of shortcuts
• Enable anyone to access remotely
• Security vulnerabilities do exist, and
create critical problems
• Medical devices are almost never
airgapped. Many devices can be
crashed just by running simple security
scans (port scans)
19. Why should I care?
• Immunizations provide herd immunity!
• Designing for privacy and security is
much easier and more effective than
retrofitting
• Defense in depth
• Think of your mom!
21. What can I do?
• Collect as little information as possible
• What you collect, always secure/encrypt
• Secure command & control channel
• Have a disaster recovery plan
• Have a privacy policy
• Don’t re-invent the wheel
• Work with security researchers
More ideas: https://msdn.microsoft.com/en-us/library/ms976532.aspx
22. • Physical Access Control as a Service
• Private apartments, service providers,
and house management companies
• Mix of hardware, software, wireless
sensor network and web applications
• High focus on privacy and security of
our users