.org

solarwinds123: Did a Weak Password Result in SolarWinds Hack?on March 2, 2021 at 1:46 pm Feedzy

FeedzyRead MoreAs the investigations on the infamous SolarWinds supply chain attacks are ongoing, the top management of the company blamed an intern for the password “solarwinds123” lapse, which is believed to be the main cause of the recent chain of cyberattacks. Sources suggest that the password was publicly accessible via a GitHub repository since June 17, […]
The post solarwinds123: Did a Weak Password Result in SolarWinds Hack? appeared first on CISO MAG | Cyber Security Magazine.

As the investigations on the infamous SolarWinds supply chain attacks are ongoing, the top management of the company blamed an intern for the password “solarwinds123” lapse, which is believed to be the main cause of the recent chain of cyberattacks. Sources suggest that the password was publicly accessible via a GitHub repository since June 17, 2018, before it was addressed on November 22, 2019, after being reported by a security researcher.

As part of the ongoing investigation, several U.S. lawmakers questioned the Texas-based software firm on the password issue in a joint hearing by the official House Oversight and Homeland Securities committees. In his hearing, Sudhakar Ramakrishna, CEO of SolarWinds, confirmed that the password has been in use as early as 2017.

“I believe that was a password that an intern used on one of his servers back in 2017, which was reported to our security team, and it was immediately removed. That related to a mistake that an intern made, and they violated our password policies, and they posted that password on their own private GitHub account. As soon as it was identified and brought to the attention of my security team, they took that down,” Ramakrishna said in the hearing.

“I’ve got a stronger password than ‘solarwinds123’ to stop my kids from watching too much YouTube on their iPad. You and your company were supposed to be preventing the Russians from reading Defense Department emails,” said Representative Katie Porter of California.

Till now over 18,000 high-profile customers including multiple U.S. government agencies and tech companies like Microsoft, FireEye, Boeing, and many others have been affected by the SolarWinds hack. The White House acknowledged that a Russian state-sponsored group known as the Cozy Bear or APT 29 carried out the targeted cyberattacks on several U.S. government agencies through a vulnerability in its IT management software called SolarWinds Orion. It appears that a significant amount of investment was made to ensure that the code was properly inserted and that the presence of malware remained undetected in their build environment.

The post solarwinds123: Did a Weak Password Result in SolarWinds Hack? appeared first on CISO MAG | Cyber Security Magazine.

SolarWinds Microsoft source code

As the investigations on the infamous SolarWinds supply chain attacks are ongoing, the top management of the company blamed an intern for the password “solarwinds123” lapse, which is believed to be the main cause of the recent chain of cyberattacks. Sources suggest that the password was publicly accessible via a GitHub repository since June 17, 2018, before it was addressed on November 22, 2019, after being reported by a security researcher.

As part of the ongoing investigation, several U.S. lawmakers questioned the Texas-based software firm on the password issue in a joint hearing by the official House Oversight and Homeland Securities committees. In his hearing, Sudhakar Ramakrishna, CEO of SolarWinds, confirmed that the password has been in use as early as 2017.

“I believe that was a password that an intern used on one of his servers back in 2017, which was reported to our security team, and it was immediately removed. That related to a mistake that an intern made, and they violated our password policies, and they posted that password on their own private GitHub account. As soon as it was identified and brought to the attention of my security team, they took that down,” Ramakrishna said in the hearing.

“I’ve got a stronger password than ‘solarwinds123’ to stop my kids from watching too much YouTube on their iPad. You and your company were supposed to be preventing the Russians from reading Defense Department emails,” said Representative Katie Porter of California.

Till now over 18,000 high-profile customers including multiple U.S. government agencies and tech companies like Microsoft, FireEye, Boeing, and many others have been affected by the SolarWinds hack. The White House acknowledged that a Russian state-sponsored group known as the Cozy Bear or APT 29 carried out the targeted cyberattacks on several U.S. government agencies through a vulnerability in its IT management software called SolarWinds Orion. It appears that a significant amount of investment was made to ensure that the code was properly inserted and that the presence of malware remained undetected in their build environment.

solarwinds123: Did a Weak Password Result in SolarWinds Hack?CISOMAGon March 2, 2021 at 1:46 pm CISO MAG | Cyber Security Magazine

News, Threats, Cyberattacks, cybersecurity, GitHub repository, password, Solarwinds, SolarWinds hacks, SolarWinds supply chain attack, solarwinds123 password, Sudhakar Ramakrishna, Texas-based software firm, U.S. lawmakersCISO MAG | Cyber Security MagazineRead MoreAs the investigations on the infamous SolarWinds supply chain attacks are ongoing, the top management of the company blamed an intern for the password “solarwinds123” lapse, which is believed to be the main cause of the recent chain of cyberattacks. Sources suggest that the password was publicly accessible via a GitHub repository since June 17,
The post solarwinds123: Did a Weak Password Result in SolarWinds Hack? appeared first on CISO MAG | Cyber Security Magazine.

As the investigations on the infamous SolarWinds supply chain attacks are ongoing, the top management of the company blamed an intern for the password “solarwinds123” lapse, which is believed to be the main cause of the recent chain of cyberattacks. Sources suggest that the password was publicly accessible via a GitHub repository since June 17, 2018, before it was addressed on November 22, 2019, after being reported by a security researcher.

As part of the ongoing investigation, several U.S. lawmakers questioned the Texas-based software firm on the password issue in a joint hearing by the official House Oversight and Homeland Securities committees. In his hearing, Sudhakar Ramakrishna, CEO of SolarWinds, confirmed that the password has been in use as early as 2017.

“I believe that was a password that an intern used on one of his servers back in 2017, which was reported to our security team, and it was immediately removed. That related to a mistake that an intern made, and they violated our password policies, and they posted that password on their own private GitHub account. As soon as it was identified and brought to the attention of my security team, they took that down,” Ramakrishna said in the hearing.

“I’ve got a stronger password than ‘solarwinds123’ to stop my kids from watching too much YouTube on their iPad. You and your company were supposed to be preventing the Russians from reading Defense Department emails,” said Representative Katie Porter of California.

Till now over 18,000 high-profile customers including multiple U.S. government agencies and tech companies like Microsoft, FireEye, Boeing, and many others have been affected by the SolarWinds hack. The White House acknowledged that a Russian state-sponsored group known as the Cozy Bear or APT 29 carried out the targeted cyberattacks on several U.S. government agencies through a vulnerability in its IT management software called SolarWinds Orion. It appears that a significant amount of investment was made to ensure that the code was properly inserted and that the presence of malware remained undetected in their build environment.

The post solarwinds123: Did a Weak Password Result in SolarWinds Hack? appeared first on CISO MAG | Cyber Security Magazine.

As the investigations on the infamous SolarWinds supply chain attacks are ongoing, the top management of the company blamed an intern for the password “solarwinds123” lapse, which is believed to be the main cause of the recent chain of cyberattacks. Sources suggest that the password was publicly accessible via a GitHub repository since June 17, 2018, before it was addressed on November 22, 2019, after being reported by a security researcher.

As part of the ongoing investigation, several U.S. lawmakers questioned the Texas-based software firm on the password issue in a joint hearing by the official House Oversight and Homeland Securities committees. In his hearing, Sudhakar Ramakrishna, CEO of SolarWinds, confirmed that the password has been in use as early as 2017.

“I believe that was a password that an intern used on one of his servers back in 2017, which was reported to our security team, and it was immediately removed. That related to a mistake that an intern made, and they violated our password policies, and they posted that password on their own private GitHub account. As soon as it was identified and brought to the attention of my security team, they took that down,” Ramakrishna said in the hearing.

“I’ve got a stronger password than ‘solarwinds123’ to stop my kids from watching too much YouTube on their iPad. You and your company were supposed to be preventing the Russians from reading Defense Department emails,” said Representative Katie Porter of California.

Till now over 18,000 high-profile customers including multiple U.S. government agencies and tech companies like Microsoft, FireEye, Boeing, and many others have been affected by the SolarWinds hack. The White House acknowledged that a Russian state-sponsored group known as the Cozy Bear or APT 29 carried out the targeted cyberattacks on several U.S. government agencies through a vulnerability in its IT management software called SolarWinds Orion. It appears that a significant amount of investment was made to ensure that the code was properly inserted and that the presence of malware remained undetected in their build environment.

The post solarwinds123: Did a Weak Password Result in SolarWinds Hack? appeared first on CISO MAG | Cyber Security Magazine.

COVIDGuardian: A Guardian Angel for COVID-19 Contact Tracing Appson March 2, 2021 at 12:30 pm Feedzy

FeedzyRead MorePeople around the globe have always been apprehensive about the implementation and usage of the COVID-19 contact tracing apps. They feared that cybercriminals could target and misuse their personal data through them. Their worst nightmares came true in September 2020, when a study from Intertrust stated that almost 85% of COVID-19 contact tracing apps leak […]
The post COVIDGuardian: A Guardian Angel for COVID-19 Contact Tracing Apps appeared first on CISO MAG | Cyber Security Magazine.

People around the globe have always been apprehensive about the implementation and usage of the COVID-19 contact tracing apps. They feared that cybercriminals could target and misuse their personal data through them. Their worst nightmares came true in September 2020, when a study from Intertrust stated that almost 85% of COVID-19 contact tracing apps leak data. However, things are about to change as researchers from Queen Mary University of London (QMUL) have developed an assessment tool – called COVIDGuardian – which will help analyze the security and privacy gaps in these COVID-19 contact tracing apps.

COVIDGuardian Assessment Tool

With the sudden uncontrollable spread of the COVID-19 pandemic, the contact tracing apps were hurriedly developed by governments around the globe on a constricted timeline. This meant that adhering to hardened security and privacy testing protocols would not have been possible, given the short release timelines. Taking these anomalies into consideration, researchers at QMUL decided to develop an assessment tool that would find potential threats such as malware, embedded trackers, and private information leakage through these contact tracing apps.

Related News:

Almost Half of U.K.’s Population Fears Abuse of NHSX COVID-19 Tracing App

Dr. Gareth Tyson, Senior Lecturer at the Queen Mary University of London said, “With the pandemic, there was a rapid need for contact tracing apps to support efforts to control the spread of Covid-19. Unsurprisingly, we found that this had resulted in some relatively mainstream security bugs being introduced worldwide. Some of the most common risks are related to the use of out-of-date cryptographic algorithms and the storage of sensitive information in plain text formats that could be read by potential attackers.

Our work is helping developers address these problems. Through COVIDGuardian we’ve produced a tool that can be used by developers to discover and fix potential weaknesses in their apps and share guidelines that will help to ensure user privacy and security is maintained.”

During their study of determining COVIDGuardian’s efficacy, 40 COVID-19 contact tracing apps from around the globe were assessed. The study showed the following results:

  • 5% of the apps use at least one insecure cryptographic algorithm.
  • Three-quarters of apps contained at least one tracker that reports information to third parties such as Facebook Analytics or Google Firebase.
  • Most of the 40 apps analyzed were malware-free, but the Kyrgyzstan app going by the name “Stop COVID-19 KG” was discovered to have malware.

Additionally, the researchers performed a survey on more than 370 individuals to find the likelihood of them using a COVID-19 contact tracing app. Not so surprisingly, they found that the biggest impact on whether individuals would use the app or not depended upon the privacy and accuracy of these contact tracing apps.

The research titled “An Empirical Assessment of Global COVID-19 Contact Tracing Applications” will be presented soon at the International Conference on Software Engineering, which will be held between May 23-29, 2021. However, a copy of this paper can be already found here.

Related News:

In a Sea of COVID-19 Tracer Apps Where Does Apple-Google Stand?

The post COVIDGuardian: A Guardian Angel for COVID-19 Contact Tracing Apps appeared first on CISO MAG | Cyber Security Magazine.

COVIDGuardian, Covid-19 contact tracing app assessment tool

People around the globe have always been apprehensive about the implementation and usage of the COVID-19 contact tracing apps. They feared that cybercriminals could target and misuse their personal data through them. Their worst nightmares came true in September 2020, when a study from Intertrust stated that almost 85% of COVID-19 contact tracing apps leak data. However, things are about to change as researchers from Queen Mary University of London (QMUL) have developed an assessment tool – called COVIDGuardian – which will help analyze the security and privacy gaps in these COVID-19 contact tracing apps.

COVIDGuardian Assessment Tool

With the sudden uncontrollable spread of the COVID-19 pandemic, the contact tracing apps were hurriedly developed by governments around the globe on a constricted timeline. This meant that adhering to hardened security and privacy testing protocols would not have been possible, given the short release timelines. Taking these anomalies into consideration, researchers at QMUL decided to develop an assessment tool that would find potential threats such as malware, embedded trackers, and private information leakage through these contact tracing apps.

Related News:

Almost Half of U.K.’s Population Fears Abuse of NHSX COVID-19 Tracing App

Dr. Gareth Tyson, Senior Lecturer at the Queen Mary University of London said, “With the pandemic, there was a rapid need for contact tracing apps to support efforts to control the spread of Covid-19. Unsurprisingly, we found that this had resulted in some relatively mainstream security bugs being introduced worldwide. Some of the most common risks are related to the use of out-of-date cryptographic algorithms and the storage of sensitive information in plain text formats that could be read by potential attackers.

Our work is helping developers address these problems. Through COVIDGuardian we’ve produced a tool that can be used by developers to discover and fix potential weaknesses in their apps and share guidelines that will help to ensure user privacy and security is maintained.”

During their study of determining COVIDGuardian’s efficacy, 40 COVID-19 contact tracing apps from around the globe were assessed. The study showed the following results:

  • 5% of the apps use at least one insecure cryptographic algorithm.
  • Three-quarters of apps contained at least one tracker that reports information to third parties such as Facebook Analytics or Google Firebase.
  • Most of the 40 apps analyzed were malware-free, but the Kyrgyzstan app going by the name “Stop COVID-19 KG” was discovered to have malware.

Additionally, the researchers performed a survey on more than 370 individuals to find the likelihood of them using a COVID-19 contact tracing app. Not so surprisingly, they found that the biggest impact on whether individuals would use the app or not depended upon the privacy and accuracy of these contact tracing apps.

The research titled “An Empirical Assessment of Global COVID-19 Contact Tracing Applications” will be presented soon at the International Conference on Software Engineering, which will be held between May 23-29, 2021. However, a copy of this paper can be already found here.

Related News:

In a Sea of COVID-19 Tracer Apps Where Does Apple-Google Stand?

COVIDGuardian: A Guardian Angel for COVID-19 Contact Tracing AppsCISOMAGon March 2, 2021 at 12:30 pm CISO MAG | Cyber Security Magazine

News, Threats, COVID-19, COVID-19 contact tracing apps, COVID-19 tracing apps, COVIDGuardian, COVIDGuardian assessment tool, privacy assessment tool, security and privacy gaps, security assessment toolCISO MAG | Cyber Security MagazineRead MorePeople around the globe have always been apprehensive about the implementation and usage of the COVID-19 contact tracing apps. They feared that cybercriminals could target and misuse their personal data through them. Their worst nightmares came true in September 2020, when a study from Intertrust stated that almost 85% of COVID-19 contact tracing apps leak
The post COVIDGuardian: A Guardian Angel for COVID-19 Contact Tracing Apps appeared first on CISO MAG | Cyber Security Magazine.

People around the globe have always been apprehensive about the implementation and usage of the COVID-19 contact tracing apps. They feared that cybercriminals could target and misuse their personal data through them. Their worst nightmares came true in September 2020, when a study from Intertrust stated that almost 85% of COVID-19 contact tracing apps leak data. However, things are about to change as researchers from Queen Mary University of London (QMUL) have developed an assessment tool – called COVIDGuardian – which will help analyze the security and privacy gaps in these COVID-19 contact tracing apps.

COVIDGuardian Assessment Tool

With the sudden uncontrollable spread of the COVID-19 pandemic, the contact tracing apps were hurriedly developed by governments around the globe on a constricted timeline. This meant that adhering to hardened security and privacy testing protocols would not have been possible, given the short release timelines. Taking these anomalies into consideration, researchers at QMUL decided to develop an assessment tool that would find potential threats such as malware, embedded trackers, and private information leakage through these contact tracing apps.

Related News:

Almost Half of U.K.’s Population Fears Abuse of NHSX COVID-19 Tracing App

Dr. Gareth Tyson, Senior Lecturer at the Queen Mary University of London said, “With the pandemic, there was a rapid need for contact tracing apps to support efforts to control the spread of Covid-19. Unsurprisingly, we found that this had resulted in some relatively mainstream security bugs being introduced worldwide. Some of the most common risks are related to the use of out-of-date cryptographic algorithms and the storage of sensitive information in plain text formats that could be read by potential attackers.

Our work is helping developers address these problems. Through COVIDGuardian we’ve produced a tool that can be used by developers to discover and fix potential weaknesses in their apps and share guidelines that will help to ensure user privacy and security is maintained.”

During their study of determining COVIDGuardian’s efficacy, 40 COVID-19 contact tracing apps from around the globe were assessed. The study showed the following results:

  • 5% of the apps use at least one insecure cryptographic algorithm.
  • Three-quarters of apps contained at least one tracker that reports information to third parties such as Facebook Analytics or Google Firebase.
  • Most of the 40 apps analyzed were malware-free, but the Kyrgyzstan app going by the name “Stop COVID-19 KG” was discovered to have malware.

Additionally, the researchers performed a survey on more than 370 individuals to find the likelihood of them using a COVID-19 contact tracing app. Not so surprisingly, they found that the biggest impact on whether individuals would use the app or not depended upon the privacy and accuracy of these contact tracing apps.

The research titled “An Empirical Assessment of Global COVID-19 Contact Tracing Applications” will be presented soon at the International Conference on Software Engineering, which will be held between May 23-29, 2021. However, a copy of this paper can be already found here.

Related News:

In a Sea of COVID-19 Tracer Apps Where Does Apple-Google Stand?

The post COVIDGuardian: A Guardian Angel for COVID-19 Contact Tracing Apps appeared first on CISO MAG | Cyber Security Magazine.

People around the globe have always been apprehensive about the implementation and usage of the COVID-19 contact tracing apps. They feared that cybercriminals could target and misuse their personal data through them. Their worst nightmares came true in September 2020, when a study from Intertrust stated that almost 85% of COVID-19 contact tracing apps leak data. However, things are about to change as researchers from Queen Mary University of London (QMUL) have developed an assessment tool – called COVIDGuardian – which will help analyze the security and privacy gaps in these COVID-19 contact tracing apps.

COVIDGuardian Assessment Tool

With the sudden uncontrollable spread of the COVID-19 pandemic, the contact tracing apps were hurriedly developed by governments around the globe on a constricted timeline. This meant that adhering to hardened security and privacy testing protocols would not have been possible, given the short release timelines. Taking these anomalies into consideration, researchers at QMUL decided to develop an assessment tool that would find potential threats such as malware, embedded trackers, and private information leakage through these contact tracing apps.

Related News:

Almost Half of U.K.’s Population Fears Abuse of NHSX COVID-19 Tracing App

Dr. Gareth Tyson, Senior Lecturer at the Queen Mary University of London said, “With the pandemic, there was a rapid need for contact tracing apps to support efforts to control the spread of Covid-19. Unsurprisingly, we found that this had resulted in some relatively mainstream security bugs being introduced worldwide. Some of the most common risks are related to the use of out-of-date cryptographic algorithms and the storage of sensitive information in plain text formats that could be read by potential attackers.

Our work is helping developers address these problems. Through COVIDGuardian we’ve produced a tool that can be used by developers to discover and fix potential weaknesses in their apps and share guidelines that will help to ensure user privacy and security is maintained.”

During their study of determining COVIDGuardian’s efficacy, 40 COVID-19 contact tracing apps from around the globe were assessed. The study showed the following results:

  • 5% of the apps use at least one insecure cryptographic algorithm.
  • Three-quarters of apps contained at least one tracker that reports information to third parties such as Facebook Analytics or Google Firebase.
  • Most of the 40 apps analyzed were malware-free, but the Kyrgyzstan app going by the name “Stop COVID-19 KG” was discovered to have malware.

Additionally, the researchers performed a survey on more than 370 individuals to find the likelihood of them using a COVID-19 contact tracing app. Not so surprisingly, they found that the biggest impact on whether individuals would use the app or not depended upon the privacy and accuracy of these contact tracing apps.

The research titled “An Empirical Assessment of Global COVID-19 Contact Tracing Applications” will be presented soon at the International Conference on Software Engineering, which will be held between May 23-29, 2021. However, a copy of this paper can be already found here.

Related News:

In a Sea of COVID-19 Tracer Apps Where Does Apple-Google Stand?

The post COVIDGuardian: A Guardian Angel for COVID-19 Contact Tracing Apps appeared first on CISO MAG | Cyber Security Magazine.

Don’t use these Android VPNs. They Leak Your Credentials!on March 2, 2021 at 8:30 am Feedzy

FeedzyRead MoreVPN applications that are meant to secure users’ privacy online are now found to be exposing their sensitive information to third parties. Security experts from Cybernews stated that cybercriminals are selling over 21 million users’ records on a hacking forum. It was found that they are trading three databases that contain user credentials and device […]
The post Don’t use these Android VPNs. They Leak Your Credentials! appeared first on CISO MAG | Cyber Security Magazine.

VPN applications that are meant to secure users’ privacy online are now found to be exposing their sensitive information to third parties. Security experts from Cybernews stated that cybercriminals are selling over 21 million users’ records on a hacking forum. It was found that they are trading three databases that contain user credentials and device data from three Android Virtual Private Network (VPN) services – SuperVPN (with 100,000,000+ installs on Play Store), GeckoVPN (10,000,000+ installs), and ChatVPN (50,000+ installs).

The other database contains information including users’ email addresses, usernames, full names, country names, randomly generated password strings, payment-related data, premium member status, and expiration date, along with users’ device serial numbers, phone types and manufacturers, device IDs, and device IMSI numbers.

“The threat actor claims that the data has been exfiltrated from publicly available databases that were left vulnerable by the VPN providers due to developers leaving default database credentials in use,” Cybernews said.

Threats from Unsecured VPNs

The primary reason for using a VPN is to improve a user’s data privacy and security on the internet. VPNs provide a secure connection for users when joining another network online. It also changes your IP address and location, making your browsing activity safe and private from threat actors.

Cybernews claims that the three VPN providers are likely logging in for more information about their users than required. It also suspects that cybercriminals might have gained full remote access to the VPN servers.

“If true, this is an incredible blow to user security and privacy on the part of SuperVPN, GeckoVPN, and ChatVPN. And, in the case of SuperVPN, this blow is not the first. With deeply sensitive device information such as device serial numbers, IDs, and IMSI numbers in hand, threat actors that have access to the data contained on the compromised VPN servers can get hold of that data and carry out malicious activities such as man-in-the-middle attacks and more,” Cybernews added.

SuperVPN – The Old Culprit

Various cybersecurity experts reported the issues with using SuperVPN.

The VPN has critical vulnerabilities and researchers deemed it dangerous. Google removed the SuperVPN app on April 7, 2020, from its Google Play Store. CISO MAG also advises against using free and unknown VPN applications. It’s a safe bet to use established and paid VPNs.

The post Don’t use these Android VPNs. They Leak Your Credentials! appeared first on CISO MAG | Cyber Security Magazine.

vpn

VPN applications that are meant to secure users’ privacy online are now found to be exposing their sensitive information to third parties. Security experts from Cybernews stated that cybercriminals are selling over 21 million users’ records on a hacking forum. It was found that they are trading three databases that contain user credentials and device data from three Android Virtual Private Network (VPN) services – SuperVPN (with 100,000,000+ installs on Play Store), GeckoVPN (10,000,000+ installs), and ChatVPN (50,000+ installs).

The other database contains information including users’ email addresses, usernames, full names, country names, randomly generated password strings, payment-related data, premium member status, and expiration date, along with users’ device serial numbers, phone types and manufacturers, device IDs, and device IMSI numbers.

“The threat actor claims that the data has been exfiltrated from publicly available databases that were left vulnerable by the VPN providers due to developers leaving default database credentials in use,” Cybernews said.

Threats from Unsecured VPNs

The primary reason for using a VPN is to improve a user’s data privacy and security on the internet. VPNs provide a secure connection for users when joining another network online. It also changes your IP address and location, making your browsing activity safe and private from threat actors.

Cybernews claims that the three VPN providers are likely logging in for more information about their users than required. It also suspects that cybercriminals might have gained full remote access to the VPN servers.

“If true, this is an incredible blow to user security and privacy on the part of SuperVPN, GeckoVPN, and ChatVPN. And, in the case of SuperVPN, this blow is not the first. With deeply sensitive device information such as device serial numbers, IDs, and IMSI numbers in hand, threat actors that have access to the data contained on the compromised VPN servers can get hold of that data and carry out malicious activities such as man-in-the-middle attacks and more,” Cybernews added.

SuperVPN – The Old Culprit

Various cybersecurity experts reported the issues with using SuperVPN.

The VPN has critical vulnerabilities and researchers deemed it dangerous. Google removed the SuperVPN app on April 7, 2020, from its Google Play Store. CISO MAG also advises against using free and unknown VPN applications. It’s a safe bet to use established and paid VPNs.

Don’t use these Android VPNs. They Leak Your Credentials!CISOMAGon March 2, 2021 at 8:30 am CISO MAG | Cyber Security Magazine

News, Threats, Android VPN apps, ChatVPN, Cyberattacks, cybersecurity, dark web, Data Privacy, GeckoVPN, hackers, hacking forum, SuperVPN, user data on the dark web, virtual private network, VPN servicesCISO MAG | Cyber Security MagazineRead MoreVPN applications that are meant to secure users’ privacy online are now found to be exposing their sensitive information to third parties. Security experts from Cybernews stated that cybercriminals are selling over 21 million users’ records on a hacking forum. It was found that they are trading three databases that contain user credentials and device
The post Don’t use these Android VPNs. They Leak Your Credentials! appeared first on CISO MAG | Cyber Security Magazine.

VPN applications that are meant to secure users’ privacy online are now found to be exposing their sensitive information to third parties. Security experts from Cybernews stated that cybercriminals are selling over 21 million users’ records on a hacking forum. It was found that they are trading three databases that contain user credentials and device data from three Android Virtual Private Network (VPN) services – SuperVPN (with 100,000,000+ installs on Play Store), GeckoVPN (10,000,000+ installs), and ChatVPN (50,000+ installs).

The other database contains information including users’ email addresses, usernames, full names, country names, randomly generated password strings, payment-related data, premium member status, and expiration date, along with users’ device serial numbers, phone types and manufacturers, device IDs, and device IMSI numbers.

“The threat actor claims that the data has been exfiltrated from publicly available databases that were left vulnerable by the VPN providers due to developers leaving default database credentials in use,” Cybernews said.

Threats from Unsecured VPNs

The primary reason for using a VPN is to improve a user’s data privacy and security on the internet. VPNs provide a secure connection for users when joining another network online. It also changes your IP address and location, making your browsing activity safe and private from threat actors.

Cybernews claims that the three VPN providers are likely logging in for more information about their users than required. It also suspects that cybercriminals might have gained full remote access to the VPN servers.

“If true, this is an incredible blow to user security and privacy on the part of SuperVPN, GeckoVPN, and ChatVPN. And, in the case of SuperVPN, this blow is not the first. With deeply sensitive device information such as device serial numbers, IDs, and IMSI numbers in hand, threat actors that have access to the data contained on the compromised VPN servers can get hold of that data and carry out malicious activities such as man-in-the-middle attacks and more,” Cybernews added.

SuperVPN – The Old Culprit

Various cybersecurity experts reported the issues with using SuperVPN.

The VPN has critical vulnerabilities and researchers deemed it dangerous.  Google removed the SuperVPN app on April 7, 2020, from its Google Play Store. CISO MAG also advises against using free and unknown VPN applications. It’s a safe bet to use established and paid VPNs.

The post Don’t use these Android VPNs. They Leak Your Credentials! appeared first on CISO MAG | Cyber Security Magazine.

VPN applications that are meant to secure users’ privacy online are now found to be exposing their sensitive information to third parties. Security experts from Cybernews stated that cybercriminals are selling over 21 million users’ records on a hacking forum. It was found that they are trading three databases that contain user credentials and device data from three Android Virtual Private Network (VPN) services – SuperVPN (with 100,000,000+ installs on Play Store), GeckoVPN (10,000,000+ installs), and ChatVPN (50,000+ installs).

The other database contains information including users’ email addresses, usernames, full names, country names, randomly generated password strings, payment-related data, premium member status, and expiration date, along with users’ device serial numbers, phone types and manufacturers, device IDs, and device IMSI numbers.

“The threat actor claims that the data has been exfiltrated from publicly available databases that were left vulnerable by the VPN providers due to developers leaving default database credentials in use,” Cybernews said.

Threats from Unsecured VPNs

The primary reason for using a VPN is to improve a user’s data privacy and security on the internet. VPNs provide a secure connection for users when joining another network online. It also changes your IP address and location, making your browsing activity safe and private from threat actors.

Cybernews claims that the three VPN providers are likely logging in for more information about their users than required. It also suspects that cybercriminals might have gained full remote access to the VPN servers.

“If true, this is an incredible blow to user security and privacy on the part of SuperVPN, GeckoVPN, and ChatVPN. And, in the case of SuperVPN, this blow is not the first. With deeply sensitive device information such as device serial numbers, IDs, and IMSI numbers in hand, threat actors that have access to the data contained on the compromised VPN servers can get hold of that data and carry out malicious activities such as man-in-the-middle attacks and more,” Cybernews added.

SuperVPN – The Old Culprit

Various cybersecurity experts reported the issues with using SuperVPN.

The VPN has critical vulnerabilities and researchers deemed it dangerous.  Google removed the SuperVPN app on April 7, 2020, from its Google Play Store. CISO MAG also advises against using free and unknown VPN applications. It’s a safe bet to use established and paid VPNs.

The post Don’t use these Android VPNs. They Leak Your Credentials! appeared first on CISO MAG | Cyber Security Magazine.

BIoTs can alleviate security concerns for both owners and tenantsCISOMAGon March 2, 2021 at 5:57 am CISO MAG | Cyber Security Magazine

Interviews, 5G, BIoT, Building Internet of Things, BYOD, COVID-19, Cyberattacks, cybersecurity, cyberthreats, Internet of things, iotCISO MAG | Cyber Security MagazineRead MoreDr. Rishi Mohan Bhatnagar is an international speaker and thought leader in the Internet of Things and digital space. He co-authored the book “Enterprise IoT” along with a team from Bosch. He is the recipient of the “ET Now Business Leader of the Year 2019,” Voice&Data “Leadership Recognition Award” – India 2019, Indian ISV “IoT
The post BIoTs can alleviate security concerns for both owners and tenants appeared first on CISO MAG | Cyber Security Magazine.

Dr. Rishi Mohan Bhatnagar is an international speaker and thought leader in the Internet of Things and digital space. He co-authored the book “Enterprise IoT” along with a team from Bosch. He is the recipient of the “ET Now Business Leader of the Year 2019,” Voice&Data “Leadership Recognition Award” – India 2019, Indian ISV “IoT CEO of the Year 2018” and BTVI “Business Leader of the Year 2018.” Currently, as President of Aeris Communications India Private Ltd. (100 % subsidiary of the privately held, Silicon Valley headquartered Aeris Communications Inc., pioneers in the m2m/ IoT business since 1992), Dr. Bhatnagar is leading the Aeris business in the Indian subcontinent, MEA, and the APAC region.

In an exclusive interview with Augustin Kurian from CISO MAG, Bhatnagar talks about his journey, the future of Building the Internet of Things, integrating IoT with farming in India, and also addresses the threats and concerns surrounding 5G.

Edited excerpts from the interview follow:

It has been nearly three decades since the inception of Aeris. Aeris evolved from being a cellular network to now a world-renowned IoT enabler. How has your journey with Aeris been and what were the key milestones for the company?

Aeris was founded in 1992 and is a cellular network designed and built exclusively for machines. Because it was made for machines, Aeris delivers the most reliable, flexible, and efficient global cellular network for M2M data transmission available today. The growth of Aeris mirrors the development and growth of M2M communications and the Internet of Things (IoT). It has operational reach in over 180 countries and has offices in the Americas (Chicago & San Jose), Europe (U.K.), and India (Delhi NCR). We announced our joint venture with Softbank in Japan in 2016 known as Aeris Japan K.K., to provide IoT and telematics services globally using the Aeris IoT solutions platform. We are also part of Ventic LLC, a joint venture that is the result of a long-term commitment between Volkswagen and Aeris in the development and operations of connected vehicle platform technologies.

Today we have 14 million devices managed on our IoT Platform, worldwide. Aeris is at the forefront of the technology industry, building networks and applications to enable Fortune 500 clients to fundamentally improve their businesses. We offer global connectivity for machines as well as IoT solutions and services to multiple sectors which include Automotive, Finance & Insurance, Telecom, Utilities, Manufacturing, Agriculture, and more. From telematics to medical devices to remote machines, Aeris’ customers enjoy solutions tuned for high performance and mission-critical reliability. We entered the Indian market in 2016, and with our joint go to market engagements, we have successfully established an end-to-end IoT ecosystem, cracked the IoT monetization code and today we provide flexible business and commercial models for IoT, for the price-conscious markets, going beyond India, and, creating our presence in SAARC, APAC, Middle East and the APAC region.

With no hardware choke points and several small-cell antennas relying on 5G’s Dynamic Spectrum Sharing feature enabling multiple data streams to share bandwidth partitioned in slices that may each introduce cyber risk, do you feel with 5G technology comes to the emergence of tens of billions of smart devices susceptible to cyberthreats related to IoT networks?

5G comes with the promise of download speeds of up to 10 times faster and there is a huge concern over this from a security perspective as faster speeds may present an opportunity for hackers to target more devices and launch bigger cyberattacks.

But let’s not forget that we witnessed similar concerns and threats when the Internet was growing and maturing to gain the critical mass and adoption. Similar concerns were raised when cloud technology was at its hype. Therefore, it is quite natural that any new and advanced technology will bring with it a gamut of new security challenges. We need to remind ourselves that the security of the “thing” is only as secure as the network in which it resides. This includes the people, processes, and technologies involved in its development and delivery. Managing the security of 5G networks and services requires a new approach, where security is an integral part of the end-to-end architecture and ‘security by design’ is a must.

You have spoken about integrating IoT with agriculture to revolutionize the landscape. What is the feasibility of that? What is your response to the apprehensions surrounding cyberthreats that may arise to unsuspecting farmers?

For IoT deployments, irrespective of the industry vertical whether it is manufacturing or finance or agriculture or even a social sector engagement, security should never be an afterthought.

Keeping connected devices and their data safe starts during device design and at device provisioning and deployment. Deploying IoT programs at scale calls for simplifying device onboarding processes and reducing manual steps. A common goal is to set up each deployed device to immediately be able to communicate over networks to the right destination in the cloud. But doing that securely requires examining all the steps in the process and setting the right parameters for those devices.
Farmers adopting connected technology can tie up with IoT solution and service providers who allow them to securely provision and connect their devices to the cloud with minimum (near zero) effort and help them do this securely with identity and access management best practices being deployed during the entire device deployment lifecycle.

When it comes to the concept of Building Internet of Things (BIoT), it is often said that immaturity and poor definition of the concept are a few of the biggest risks in smart buildings. Do you think there is still a need for a more comprehensive understanding of threats posed on BIoT?

The Commercial Real Estate (CRE) industry is perhaps uniquely positioned to implement the latest technologies using IoT-enabled building management systems (BMS) or BIoT to make building performance more efficient and also use sensor-generated data to enhance building user experience. The value created from the information generated by BIoT has the potential to widen the lens on value creation beyond location, and associated benefits of low-hanging fruit such as cost savings and operational efficiency through improved energy management increased level of efficiency with enhanced building performance and effectiveness that could distinguish buildings within a marketplace from a desirability and profitability standpoint.

BIoTs can alleviate security concerns for both owners and tenants. Real-time monitoring can bolster internal security, and specialized weather sensors provide advance warnings of adverse weather events. As the frequency and severity of hurricanes, floods, and tornadoes increase under a changing climate, so does the value of disaster preparedness and resilience.

From a security point of view, CRE companies can minimize the security and privacy risk that IoT technology presents by taking several measures mentioned below to become secure, vigilant, and resilient:

  • Use purpose-built BIoT devices or addons, rather than generic IoT solutions.
  • Define clear responsibilities for the players in the ecosystem and institutionalize data governance.
  • Selection of secure communication protocol is required for building automation systems, which can help integrate with enterprise management solutions.

When all these systems are unified to work together, we have a resilient Building Internet of Things (BIoT). In the security industry, the integration of the three major segments has been successful to a large extent. Physical Security Management Systems (PSIM) have been used for interoperability between safety & security systems including fire detection, extinguishing, evacuation, mass notification in both large and small projects.

With COVID-19 and employees working from home, there are even bigger threats from the IoT landscape. What are your thoughts surrounding that?

It is true that while the underlying network is relatively easy to secure, like the internet, smart devices and sensors create an ecosystem that is complex and widespread. IoT devices vary widely in their uses, and so do their security needs, which means it’s very easy to either overspend or underspend on the necessary precautions. Each component is vulnerable, and their internetworked communication is instantaneous. That means a hacker can take down an entire system in a second, long before any human or network fail-safes can respond. A disgruntled worker could sabotage devices during design or manufacturing. Criminals could steal a device shipment, reprogram the devices, and return the devices on their journey. A hacker could fake a device malfunction in an existing system, alter the device software, and then bring the device back online — security personnel would simply assume it was a minor glitch. In every case, the breaches might never be detected.

Knowledge and preparedness are key determinants for how successful any IoT security implementation will be, even when facing the unknown. By building comprehensive security measures into the ecosystem first, before a single device is activated, you can create a secure foundation that will last well into the future.

With increasing cyberattacks during the COVID-19 crisis, what are your thoughts on the need for asset inventory management?

For many enterprises, tracking an asset at every step of its journey, in real-time, is a business-critical requirement and the COVID-19 crisis reinforced this hard fact to enterprises of all sizes – big and small!

Connected asset tracking solutions provide compliance oversight, enhances owner/operator behaviors, improves productivity, and reveals granular insights for optimizing operational efficiencies. With remote tracking and monitoring, managers can make smart decisions based on factual data, driving performance, and creating significant competitive advantages for their companies.

Finally, what changes do you foresee in the post-COVID-19 world? Has the lockdown period been an enabler for security advancements in the IoT space or has it been an obstacle?

Having proper security in place makes common sense but too often this has been an afterthought. The outbreak of COVID-19 mandated remote working of the employees with country-wide lockdowns leading to an upsurge in the Bring Your Own Device (BYOD) trend, and, thus, higher vulnerability. The demand for endpoint security rose during the lockdown period. COVID-19 has accelerated the demand for managed IoT security services to safeguard the data of employees as well as organizations. In addition, regulations are now forcing device and sensor manufacturers to take security into account and not to ship without it – security by design.

This interview first appeared in the August 2020 issue of CISO MAG.Subscribe now!

Augustin KurianAbout the Interviewer

Augustin Kurian is part of the editorial team at CISO MAG and writes interviews and features.

The post BIoTs can alleviate security concerns for both owners and tenants appeared first on CISO MAG | Cyber Security Magazine.

Dr. Rishi Mohan Bhatnagar is an international speaker and thought leader in the Internet of Things and digital space. He co-authored the book “Enterprise IoT” along with a team from Bosch. He is the recipient of the “ET Now Business Leader of the Year 2019,” Voice&Data “Leadership Recognition Award” – India 2019, Indian ISV “IoT CEO of the Year 2018” and BTVI “Business Leader of the Year 2018.” Currently, as President of Aeris Communications India Private Ltd. (100 % subsidiary of the privately held, Silicon Valley headquartered Aeris Communications Inc., pioneers in the m2m/ IoT business since 1992), Dr. Bhatnagar is leading the Aeris business in the Indian subcontinent, MEA, and the APAC region.

In an exclusive interview with Augustin Kurian from CISO MAG, Bhatnagar talks about his journey, the future of Building the Internet of Things, integrating IoT with farming in India, and also addresses the threats and concerns surrounding 5G.

Edited excerpts from the interview follow:

It has been nearly three decades since the inception of Aeris. Aeris evolved from being a cellular network to now a world-renowned IoT enabler. How has your journey with Aeris been and what were the key milestones for the company?

Aeris was founded in 1992 and is a cellular network designed and built exclusively for machines. Because it was made for machines, Aeris delivers the most reliable, flexible, and efficient global cellular network for M2M data transmission available today. The growth of Aeris mirrors the development and growth of M2M communications and the Internet of Things (IoT). It has operational reach in over 180 countries and has offices in the Americas (Chicago & San Jose), Europe (U.K.), and India (Delhi NCR). We announced our joint venture with Softbank in Japan in 2016 known as Aeris Japan K.K., to provide IoT and telematics services globally using the Aeris IoT solutions platform. We are also part of Ventic LLC, a joint venture that is the result of a long-term commitment between Volkswagen and Aeris in the development and operations of connected vehicle platform technologies.

Today we have 14 million devices managed on our IoT Platform, worldwide. Aeris is at the forefront of the technology industry, building networks and applications to enable Fortune 500 clients to fundamentally improve their businesses. We offer global connectivity for machines as well as IoT solutions and services to multiple sectors which include Automotive, Finance & Insurance, Telecom, Utilities, Manufacturing, Agriculture, and more. From telematics to medical devices to remote machines, Aeris’ customers enjoy solutions tuned for high performance and mission-critical reliability. We entered the Indian market in 2016, and with our joint go to market engagements, we have successfully established an end-to-end IoT ecosystem, cracked the IoT monetization code and today we provide flexible business and commercial models for IoT, for the price-conscious markets, going beyond India, and, creating our presence in SAARC, APAC, Middle East and the APAC region.

With no hardware choke points and several small-cell antennas relying on 5G’s Dynamic Spectrum Sharing feature enabling multiple data streams to share bandwidth partitioned in slices that may each introduce cyber risk, do you feel with 5G technology comes to the emergence of tens of billions of smart devices susceptible to cyberthreats related to IoT networks?

5G comes with the promise of download speeds of up to 10 times faster and there is a huge concern over this from a security perspective as faster speeds may present an opportunity for hackers to target more devices and launch bigger cyberattacks.

But let’s not forget that we witnessed similar concerns and threats when the Internet was growing and maturing to gain the critical mass and adoption. Similar concerns were raised when cloud technology was at its hype. Therefore, it is quite natural that any new and advanced technology will bring with it a gamut of new security challenges. We need to remind ourselves that the security of the “thing” is only as secure as the network in which it resides. This includes the people, processes, and technologies involved in its development and delivery. Managing the security of 5G networks and services requires a new approach, where security is an integral part of the end-to-end architecture and ‘security by design’ is a must.

You have spoken about integrating IoT with agriculture to revolutionize the landscape. What is the feasibility of that? What is your response to the apprehensions surrounding cyberthreats that may arise to unsuspecting farmers?

For IoT deployments, irrespective of the industry vertical whether it is manufacturing or finance or agriculture or even a social sector engagement, security should never be an afterthought.

Keeping connected devices and their data safe starts during device design and at device provisioning and deployment. Deploying IoT programs at scale calls for simplifying device onboarding processes and reducing manual steps. A common goal is to set up each deployed device to immediately be able to communicate over networks to the right destination in the cloud. But doing that securely requires examining all the steps in the process and setting the right parameters for those devices.
Farmers adopting connected technology can tie up with IoT solution and service providers who allow them to securely provision and connect their devices to the cloud with minimum (near zero) effort and help them do this securely with identity and access management best practices being deployed during the entire device deployment lifecycle.

When it comes to the concept of Building Internet of Things (BIoT), it is often said that immaturity and poor definition of the concept are a few of the biggest risks in smart buildings. Do you think there is still a need for a more comprehensive understanding of threats posed on BIoT?

The Commercial Real Estate (CRE) industry is perhaps uniquely positioned to implement the latest technologies using IoT-enabled building management systems (BMS) or BIoT to make building performance more efficient and also use sensor-generated data to enhance building user experience. The value created from the information generated by BIoT has the potential to widen the lens on value creation beyond location, and associated benefits of low-hanging fruit such as cost savings and operational efficiency through improved energy management increased level of efficiency with enhanced building performance and effectiveness that could distinguish buildings within a marketplace from a desirability and profitability standpoint.

BIoTs can alleviate security concerns for both owners and tenants. Real-time monitoring can bolster internal security, and specialized weather sensors provide advance warnings of adverse weather events. As the frequency and severity of hurricanes, floods, and tornadoes increase under a changing climate, so does the value of disaster preparedness and resilience.

From a security point of view, CRE companies can minimize the security and privacy risk that IoT technology presents by taking several measures mentioned below to become secure, vigilant, and resilient:

  • Use purpose-built BIoT devices or addons, rather than generic IoT solutions.
  • Define clear responsibilities for the players in the ecosystem and institutionalize data governance.
  • Selection of secure communication protocol is required for building automation systems, which can help integrate with enterprise management solutions.

When all these systems are unified to work together, we have a resilient Building Internet of Things (BIoT). In the security industry, the integration of the three major segments has been successful to a large extent. Physical Security Management Systems (PSIM) have been used for interoperability between safety & security systems including fire detection, extinguishing, evacuation, mass notification in both large and small projects.

With COVID-19 and employees working from home, there are even bigger threats from the IoT landscape. What are your thoughts surrounding that?

It is true that while the underlying network is relatively easy to secure, like the internet, smart devices and sensors create an ecosystem that is complex and widespread. IoT devices vary widely in their uses, and so do their security needs, which means it’s very easy to either overspend or underspend on the necessary precautions. Each component is vulnerable, and their internetworked communication is instantaneous. That means a hacker can take down an entire system in a second, long before any human or network fail-safes can respond. A disgruntled worker could sabotage devices during design or manufacturing. Criminals could steal a device shipment, reprogram the devices, and return the devices on their journey. A hacker could fake a device malfunction in an existing system, alter the device software, and then bring the device back online — security personnel would simply assume it was a minor glitch. In every case, the breaches might never be detected.

Knowledge and preparedness are key determinants for how successful any IoT security implementation will be, even when facing the unknown. By building comprehensive security measures into the ecosystem first, before a single device is activated, you can create a secure foundation that will last well into the future.

With increasing cyberattacks during the COVID-19 crisis, what are your thoughts on the need for asset inventory management?

For many enterprises, tracking an asset at every step of its journey, in real-time, is a business-critical requirement and the COVID-19 crisis reinforced this hard fact to enterprises of all sizes – big and small!

Connected asset tracking solutions provide compliance oversight, enhances owner/operator behaviors, improves productivity, and reveals granular insights for optimizing operational efficiencies. With remote tracking and monitoring, managers can make smart decisions based on factual data, driving performance, and creating significant competitive advantages for their companies.

Finally, what changes do you foresee in the post-COVID-19 world? Has the lockdown period been an enabler for security advancements in the IoT space or has it been an obstacle?

Having proper security in place makes common sense but too often this has been an afterthought. The outbreak of COVID-19 mandated remote working of the employees with country-wide lockdowns leading to an upsurge in the Bring Your Own Device (BYOD) trend, and, thus, higher vulnerability. The demand for endpoint security rose during the lockdown period. COVID-19 has accelerated the demand for managed IoT security services to safeguard the data of employees as well as organizations. In addition, regulations are now forcing device and sensor manufacturers to take security into account and not to ship without it – security by design.

This interview first appeared in the August 2020 issue of CISO MAG.Subscribe now!

Augustin KurianAbout the Interviewer

Augustin Kurian is part of the editorial team at CISO MAG and writes interviews and features.

The post BIoTs can alleviate security concerns for both owners and tenants appeared first on CISO MAG | Cyber Security Magazine.

BIoTs can alleviate security concerns for both owners and tenantson March 2, 2021 at 5:57 am Feedzy

FeedzyRead MoreDr. Rishi Mohan Bhatnagar is an international speaker and thought leader in the Internet of Things and digital space. He co-authored the book “Enterprise IoT” along with a team from Bosch. He is the recipient of the “ET Now Business Leader of the Year 2019,” Voice&Data “Leadership Recognition Award” – India 2019, Indian ISV “IoT […]
The post BIoTs can alleviate security concerns for both owners and tenants appeared first on CISO MAG | Cyber Security Magazine.

Dr. Rishi Mohan Bhatnagar is an international speaker and thought leader in the Internet of Things and digital space. He co-authored the book “Enterprise IoT” along with a team from Bosch. He is the recipient of the “ET Now Business Leader of the Year 2019,” Voice&Data “Leadership Recognition Award” – India 2019, Indian ISV “IoT CEO of the Year 2018” and BTVI “Business Leader of the Year 2018.” Currently, as President of Aeris Communications India Private Ltd. (100 % subsidiary of the privately held, Silicon Valley headquartered Aeris Communications Inc., pioneers in the m2m/ IoT business since 1992), Dr. Bhatnagar is leading the Aeris business in the Indian subcontinent, MEA, and the APAC region.

In an exclusive interview with Augustin Kurian from CISO MAG, Bhatnagar talks about his journey, the future of Building the Internet of Things, integrating IoT with farming in India, and also addresses the threats and concerns surrounding 5G.

Edited excerpts from the interview follow:

It has been nearly three decades since the inception of Aeris. Aeris evolved from being a cellular network to now a world-renowned IoT enabler. How has your journey with Aeris been and what were the key milestones for the company?

Aeris was founded in 1992 and is a cellular network designed and built exclusively for machines. Because it was made for machines, Aeris delivers the most reliable, flexible, and efficient global cellular network for M2M data transmission available today. The growth of Aeris mirrors the development and growth of M2M communications and the Internet of Things (IoT). It has operational reach in over 180 countries and has offices in the Americas (Chicago & San Jose), Europe (U.K.), and India (Delhi NCR). We announced our joint venture with Softbank in Japan in 2016 known as Aeris Japan K.K., to provide IoT and telematics services globally using the Aeris IoT solutions platform. We are also part of Ventic LLC, a joint venture that is the result of a long-term commitment between Volkswagen and Aeris in the development and operations of connected vehicle platform technologies.

Today we have 14 million devices managed on our IoT Platform, worldwide. Aeris is at the forefront of the technology industry, building networks and applications to enable Fortune 500 clients to fundamentally improve their businesses. We offer global connectivity for machines as well as IoT solutions and services to multiple sectors which include Automotive, Finance & Insurance, Telecom, Utilities, Manufacturing, Agriculture, and more. From telematics to medical devices to remote machines, Aeris’ customers enjoy solutions tuned for high performance and mission-critical reliability. We entered the Indian market in 2016, and with our joint go to market engagements, we have successfully established an end-to-end IoT ecosystem, cracked the IoT monetization code and today we provide flexible business and commercial models for IoT, for the price-conscious markets, going beyond India, and, creating our presence in SAARC, APAC, Middle East and the APAC region.

With no hardware choke points and several small-cell antennas relying on 5G’s Dynamic Spectrum Sharing feature enabling multiple data streams to share bandwidth partitioned in slices that may each introduce cyber risk, do you feel with 5G technology comes to the emergence of tens of billions of smart devices susceptible to cyberthreats related to IoT networks?

5G comes with the promise of download speeds of up to 10 times faster and there is a huge concern over this from a security perspective as faster speeds may present an opportunity for hackers to target more devices and launch bigger cyberattacks.

But let’s not forget that we witnessed similar concerns and threats when the Internet was growing and maturing to gain the critical mass and adoption. Similar concerns were raised when cloud technology was at its hype. Therefore, it is quite natural that any new and advanced technology will bring with it a gamut of new security challenges. We need to remind ourselves that the security of the “thing” is only as secure as the network in which it resides. This includes the people, processes, and technologies involved in its development and delivery. Managing the security of 5G networks and services requires a new approach, where security is an integral part of the end-to-end architecture and ‘security by design’ is a must.

You have spoken about integrating IoT with agriculture to revolutionize the landscape. What is the feasibility of that? What is your response to the apprehensions surrounding cyberthreats that may arise to unsuspecting farmers?

For IoT deployments, irrespective of the industry vertical whether it is manufacturing or finance or agriculture or even a social sector engagement, security should never be an afterthought.

Keeping connected devices and their data safe starts during device design and at device provisioning and deployment. Deploying IoT programs at scale calls for simplifying device onboarding processes and reducing manual steps. A common goal is to set up each deployed device to immediately be able to communicate over networks to the right destination in the cloud. But doing that securely requires examining all the steps in the process and setting the right parameters for those devices.
Farmers adopting connected technology can tie up with IoT solution and service providers who allow them to securely provision and connect their devices to the cloud with minimum (near zero) effort and help them do this securely with identity and access management best practices being deployed during the entire device deployment lifecycle.

When it comes to the concept of Building Internet of Things (BIoT), it is often said that immaturity and poor definition of the concept are a few of the biggest risks in smart buildings. Do you think there is still a need for a more comprehensive understanding of threats posed on BIoT?

The Commercial Real Estate (CRE) industry is perhaps uniquely positioned to implement the latest technologies using IoT-enabled building management systems (BMS) or BIoT to make building performance more efficient and also use sensor-generated data to enhance building user experience. The value created from the information generated by BIoT has the potential to widen the lens on value creation beyond location, and associated benefits of low-hanging fruit such as cost savings and operational efficiency through improved energy management increased level of efficiency with enhanced building performance and effectiveness that could distinguish buildings within a marketplace from a desirability and profitability standpoint.

BIoTs can alleviate security concerns for both owners and tenants. Real-time monitoring can bolster internal security, and specialized weather sensors provide advance warnings of adverse weather events. As the frequency and severity of hurricanes, floods, and tornadoes increase under a changing climate, so does the value of disaster preparedness and resilience.

From a security point of view, CRE companies can minimize the security and privacy risk that IoT technology presents by taking several measures mentioned below to become secure, vigilant, and resilient:

  • Use purpose-built BIoT devices or addons, rather than generic IoT solutions.
  • Define clear responsibilities for the players in the ecosystem and institutionalize data governance.
  • Selection of secure communication protocol is required for building automation systems, which can help integrate with enterprise management solutions.

When all these systems are unified to work together, we have a resilient Building Internet of Things (BIoT). In the security industry, the integration of the three major segments has been successful to a large extent. Physical Security Management Systems (PSIM) have been used for interoperability between safety & security systems including fire detection, extinguishing, evacuation, mass notification in both large and small projects.

With COVID-19 and employees working from home, there are even bigger threats from the IoT landscape. What are your thoughts surrounding that?

It is true that while the underlying network is relatively easy to secure, like the internet, smart devices and sensors create an ecosystem that is complex and widespread. IoT devices vary widely in their uses, and so do their security needs, which means it’s very easy to either overspend or underspend on the necessary precautions. Each component is vulnerable, and their internetworked communication is instantaneous. That means a hacker can take down an entire system in a second, long before any human or network fail-safes can respond. A disgruntled worker could sabotage devices during design or manufacturing. Criminals could steal a device shipment, reprogram the devices, and return the devices on their journey. A hacker could fake a device malfunction in an existing system, alter the device software, and then bring the device back online — security personnel would simply assume it was a minor glitch. In every case, the breaches might never be detected.

Knowledge and preparedness are key determinants for how successful any IoT security implementation will be, even when facing the unknown. By building comprehensive security measures into the ecosystem first, before a single device is activated, you can create a secure foundation that will last well into the future.

With increasing cyberattacks during the COVID-19 crisis, what are your thoughts on the need for asset inventory management?

For many enterprises, tracking an asset at every step of its journey, in real-time, is a business-critical requirement and the COVID-19 crisis reinforced this hard fact to enterprises of all sizes – big and small!

Connected asset tracking solutions provide compliance oversight, enhances owner/operator behaviors, improves productivity, and reveals granular insights for optimizing operational efficiencies. With remote tracking and monitoring, managers can make smart decisions based on factual data, driving performance, and creating significant competitive advantages for their companies.

Finally, what changes do you foresee in the post-COVID-19 world? Has the lockdown period been an enabler for security advancements in the IoT space or has it been an obstacle?

Having proper security in place makes common sense but too often this has been an afterthought. The outbreak of COVID-19 mandated remote working of the employees with country-wide lockdowns leading to an upsurge in the Bring Your Own Device (BYOD) trend, and, thus, higher vulnerability. The demand for endpoint security rose during the lockdown period. COVID-19 has accelerated the demand for managed IoT security services to safeguard the data of employees as well as organizations. In addition, regulations are now forcing device and sensor manufacturers to take security into account and not to ship without it – security by design.

This interview first appeared in the August 2020 issue of CISO MAG.Subscribe now!

Augustin KurianAbout the Interviewer

Augustin Kurian is part of the editorial team at CISO MAG and writes interviews and features.

The post BIoTs can alleviate security concerns for both owners and tenants appeared first on CISO MAG | Cyber Security Magazine.

Dr. Rishi Mohan Bhatnagar is an international speaker and thought leader in the Internet of Things and digital space. He co-authored the book “Enterprise IoT” along with a team from Bosch. He is the recipient of the “ET Now Business Leader of the Year 2019,” Voice&Data “Leadership Recognition Award” – India 2019, Indian ISV “IoT CEO of the Year 2018” and BTVI “Business Leader of the Year 2018.” Currently, as President of Aeris Communications India Private Ltd. (100 % subsidiary of the privately held, Silicon Valley headquartered Aeris Communications Inc., pioneers in the m2m/ IoT business since 1992), Dr. Bhatnagar is leading the Aeris business in the Indian subcontinent, MEA, and the APAC region.

In an exclusive interview with Augustin Kurian from CISO MAG, Bhatnagar talks about his journey, the future of Building the Internet of Things, integrating IoT with farming in India, and also addresses the threats and concerns surrounding 5G.

Edited excerpts from the interview follow:

It has been nearly three decades since the inception of Aeris. Aeris evolved from being a cellular network to now a world-renowned IoT enabler. How has your journey with Aeris been and what were the key milestones for the company?

Aeris was founded in 1992 and is a cellular network designed and built exclusively for machines. Because it was made for machines, Aeris delivers the most reliable, flexible, and efficient global cellular network for M2M data transmission available today. The growth of Aeris mirrors the development and growth of M2M communications and the Internet of Things (IoT). It has operational reach in over 180 countries and has offices in the Americas (Chicago & San Jose), Europe (U.K.), and India (Delhi NCR). We announced our joint venture with Softbank in Japan in 2016 known as Aeris Japan K.K., to provide IoT and telematics services globally using the Aeris IoT solutions platform. We are also part of Ventic LLC, a joint venture that is the result of a long-term commitment between Volkswagen and Aeris in the development and operations of connected vehicle platform technologies.

Today we have 14 million devices managed on our IoT Platform, worldwide. Aeris is at the forefront of the technology industry, building networks and applications to enable Fortune 500 clients to fundamentally improve their businesses. We offer global connectivity for machines as well as IoT solutions and services to multiple sectors which include Automotive, Finance & Insurance, Telecom, Utilities, Manufacturing, Agriculture, and more. From telematics to medical devices to remote machines, Aeris’ customers enjoy solutions tuned for high performance and mission-critical reliability. We entered the Indian market in 2016, and with our joint go to market engagements, we have successfully established an end-to-end IoT ecosystem, cracked the IoT monetization code and today we provide flexible business and commercial models for IoT, for the price-conscious markets, going beyond India, and, creating our presence in SAARC, APAC, Middle East and the APAC region.

With no hardware choke points and several small-cell antennas relying on 5G’s Dynamic Spectrum Sharing feature enabling multiple data streams to share bandwidth partitioned in slices that may each introduce cyber risk, do you feel with 5G technology comes to the emergence of tens of billions of smart devices susceptible to cyberthreats related to IoT networks?

5G comes with the promise of download speeds of up to 10 times faster and there is a huge concern over this from a security perspective as faster speeds may present an opportunity for hackers to target more devices and launch bigger cyberattacks.

But let’s not forget that we witnessed similar concerns and threats when the Internet was growing and maturing to gain the critical mass and adoption. Similar concerns were raised when cloud technology was at its hype. Therefore, it is quite natural that any new and advanced technology will bring with it a gamut of new security challenges. We need to remind ourselves that the security of the “thing” is only as secure as the network in which it resides. This includes the people, processes, and technologies involved in its development and delivery. Managing the security of 5G networks and services requires a new approach, where security is an integral part of the end-to-end architecture and ‘security by design’ is a must.

You have spoken about integrating IoT with agriculture to revolutionize the landscape. What is the feasibility of that? What is your response to the apprehensions surrounding cyberthreats that may arise to unsuspecting farmers?

For IoT deployments, irrespective of the industry vertical whether it is manufacturing or finance or agriculture or even a social sector engagement, security should never be an afterthought.

Keeping connected devices and their data safe starts during device design and at device provisioning and deployment. Deploying IoT programs at scale calls for simplifying device onboarding processes and reducing manual steps. A common goal is to set up each deployed device to immediately be able to communicate over networks to the right destination in the cloud. But doing that securely requires examining all the steps in the process and setting the right parameters for those devices.
Farmers adopting connected technology can tie up with IoT solution and service providers who allow them to securely provision and connect their devices to the cloud with minimum (near zero) effort and help them do this securely with identity and access management best practices being deployed during the entire device deployment lifecycle.

When it comes to the concept of Building Internet of Things (BIoT), it is often said that immaturity and poor definition of the concept are a few of the biggest risks in smart buildings. Do you think there is still a need for a more comprehensive understanding of threats posed on BIoT?

The Commercial Real Estate (CRE) industry is perhaps uniquely positioned to implement the latest technologies using IoT-enabled building management systems (BMS) or BIoT to make building performance more efficient and also use sensor-generated data to enhance building user experience. The value created from the information generated by BIoT has the potential to widen the lens on value creation beyond location, and associated benefits of low-hanging fruit such as cost savings and operational efficiency through improved energy management increased level of efficiency with enhanced building performance and effectiveness that could distinguish buildings within a marketplace from a desirability and profitability standpoint.

BIoTs can alleviate security concerns for both owners and tenants. Real-time monitoring can bolster internal security, and specialized weather sensors provide advance warnings of adverse weather events. As the frequency and severity of hurricanes, floods, and tornadoes increase under a changing climate, so does the value of disaster preparedness and resilience.

From a security point of view, CRE companies can minimize the security and privacy risk that IoT technology presents by taking several measures mentioned below to become secure, vigilant, and resilient:

  • Use purpose-built BIoT devices or addons, rather than generic IoT solutions.
  • Define clear responsibilities for the players in the ecosystem and institutionalize data governance.
  • Selection of secure communication protocol is required for building automation systems, which can help integrate with enterprise management solutions.

When all these systems are unified to work together, we have a resilient Building Internet of Things (BIoT). In the security industry, the integration of the three major segments has been successful to a large extent. Physical Security Management Systems (PSIM) have been used for interoperability between safety & security systems including fire detection, extinguishing, evacuation, mass notification in both large and small projects.

With COVID-19 and employees working from home, there are even bigger threats from the IoT landscape. What are your thoughts surrounding that?

It is true that while the underlying network is relatively easy to secure, like the internet, smart devices and sensors create an ecosystem that is complex and widespread. IoT devices vary widely in their uses, and so do their security needs, which means it’s very easy to either overspend or underspend on the necessary precautions. Each component is vulnerable, and their internetworked communication is instantaneous. That means a hacker can take down an entire system in a second, long before any human or network fail-safes can respond. A disgruntled worker could sabotage devices during design or manufacturing. Criminals could steal a device shipment, reprogram the devices, and return the devices on their journey. A hacker could fake a device malfunction in an existing system, alter the device software, and then bring the device back online — security personnel would simply assume it was a minor glitch. In every case, the breaches might never be detected.

Knowledge and preparedness are key determinants for how successful any IoT security implementation will be, even when facing the unknown. By building comprehensive security measures into the ecosystem first, before a single device is activated, you can create a secure foundation that will last well into the future.

With increasing cyberattacks during the COVID-19 crisis, what are your thoughts on the need for asset inventory management?

For many enterprises, tracking an asset at every step of its journey, in real-time, is a business-critical requirement and the COVID-19 crisis reinforced this hard fact to enterprises of all sizes – big and small!

Connected asset tracking solutions provide compliance oversight, enhances owner/operator behaviors, improves productivity, and reveals granular insights for optimizing operational efficiencies. With remote tracking and monitoring, managers can make smart decisions based on factual data, driving performance, and creating significant competitive advantages for their companies.

Finally, what changes do you foresee in the post-COVID-19 world? Has the lockdown period been an enabler for security advancements in the IoT space or has it been an obstacle?

Having proper security in place makes common sense but too often this has been an afterthought. The outbreak of COVID-19 mandated remote working of the employees with country-wide lockdowns leading to an upsurge in the Bring Your Own Device (BYOD) trend, and, thus, higher vulnerability. The demand for endpoint security rose during the lockdown period. COVID-19 has accelerated the demand for managed IoT security services to safeguard the data of employees as well as organizations. In addition, regulations are now forcing device and sensor manufacturers to take security into account and not to ship without it – security by design.

This interview first appeared in the August 2020 issue of CISO MAG.Subscribe now!

Augustin KurianAbout the Interviewer

Augustin Kurian is part of the editorial team at CISO MAG and writes interviews and features.