Internet of things definitions: A handy guide to essential IoT terms – Network World

Internet of things definitions: A handy guide to essential IoT terms – Network World

There’s an often-impenetrable alphabet soup of protocols, standards and technologies around the Internet of Things. Here’s our attempt to wipe away some of the fog, in the hopes of making the language of IoT just a little bit clearer.

6LoWPAN – Possibly the most tortured acronym of even this distinguished group, 6LoWPAN is “IPv6 over low-power personal area networks.” Sheesh. The idea is to placate people that say it’s not really the “Internet” of Things without Internet protocol, so it’s essentially the IPv6 version of Zigbee and Z-wave.

AMQP (Advanced Message Queuing Protocol) – AMQP is an open source standard that allows disparate applications to talk to each other across any network and from any device. AMQP is a part of numerous commercial middleware integration offerings, including Microsoft’s Windows Azure Service Bus, VMware’s RabbitMQ, and IBM’s MQlight. It was initially developed by the financial sector for fast M2M communication, but has begun to be used in IoT projects.

+ALSO ON NETWORK WORLD: After virtualization and cloud, what’s left on premises? + What’s really behind the Cisco-Google hybrid cloud partnership

Bluetooth of various kinds (Blueteeth?) – There are two main forms of the ubiquitous Bluetooth wireless communication protocol used for IoT. The standard variety is used across great swathes of smart home gizmos, from connected refrigerators to shower speakers to door locks. Bluetooth Low Energy, often referred to simply as BLE, is a little bit more attractive for larger networks of constrained connected devices, since battery life is less of a limiting factor. Both formats got an update in December 2016 with Bluetooth 5, which expands the effective range of Bluetooth devices and boosts potential throughput.

Cellular data – It’s not the most power-efficient way to do things, obviously, but there are plenty of IoT deployments out there that use wireless data from the cellular carriers as their transport layer.

CoAP (Constrained Application Protocol) – This is an Internet protocol designed for use with constrained devices, those without a lot of computing power. It’s a part of the official Internet Engineering Task Force’s standards, and as you’d imagine from the name, it works well with small-scale gizmos like digital signage and smart lighting.

DDS (Data Distribution Service) – It’s another middleware standard, like AMQP, this one created by the Object Management Group, a tech industry consortium dating back to 1989 aimed at creating distributed object-management standards. DDS uses a system of “topics” – types of information known by the system, like “boiler temperature” or “conveyor belt speed” – to provide information to other nodes that have “declared” an interest in a given topic, ideally obviating the need for complicated network programming.

HomeKit – HomeKit is Apple’s own-brand front-end and control apparatus for smart home devices. It’s got the usual Apple issue of only working particularly well when the important parts of the system are all Apple-made, which could prove annoying if you don’t already own an Apple TV or iPad, but it’s also got the concomitant Apple virtue of being simple to set up and use.

IoTivity – IoTivity is an open source project that’s trying to create a standard software layer for IoT device connectivity, backed by a bunch of the tech world’s heavy hitters, including Microsoft, Intel, Qualcomm, LG and Samsung. The project absorbed a group called the AllSeen Alliance, publishers of a rival standard called AllJoyn, in October 2016, and the two systems are mostly interoperable at this point.

JSON-LD (JavaScript Object Notation for Linked Data) – A lightweight outgrowth of the JSON file format intended to provide an easy way to move machine-readable data around a network of devices that might format their information differently.

LoRaWAN – LoRa refers to a proprietary wireless chip technology designed for use in low-power WAN implementation. LoRaWAN technology is similar to (and competes with) Sigfox, although the LoRa Alliance is a consortium of companies rather than a single corporation.

MQTT (MQ telemetry transport) – MQTT is a publish/subscribe messaging protocol, designed to be used in situations where the devices talking to each other have limited computing power or are connected by unreliable or delay-prone networks. It does what it’s supposed to do very well, but it’s hamstrung a bit by the fact that implementing tough security controls can be tricky and can undercut the lightweight nature of the protocol.

NFC (Near-field communication) – The lowest of low-power networks has been around for a long time and is unsurprisingly well-suited for use in IoT applications. Anything that can be placed close to what it’s supposed to interact with and doesn’t need to send or receive a great deal of information is a good fit for NFC.

Physical Web – The Physical Web is a Google-created concept that argues for “quick and seamless interactions with physical objects and locations.” It uses a protocol called Eddystone to broadcast links via Bluetooth Low Energy, with the idea being that you can simply walk up to a parking meter and feed it digitally or get information about a store by scanning its kiosk with your phone.

SCADA (Supervisory Control and Data Acquisition) – SCADA has been around since the days of mainframes, and outlines the earliest attempts at systematic computerized control over industrial, manufacturing and heavy transport applications. Older-generation SCADA networks are frequently highly insecure, having been designed for ease of use, rather than security.

Sigfox – Sigfox is both the shorthand for a proprietary, narrowband, low-power WAN technology and the name of the French company that makes it. The proprietary nature of the technology is unusual (though not unique) for the LPWAN space, but Sigfox’s business model is different than most other companies – the idea seems to be to act as a kind of IoT mobile operator, providing on-demand network coverage for anyone who wants to implement IoT.  

SMS – Yep, regular old text messages can be a perfectly acceptable communications medium for certain kinds of IoT devices, particularly those that are spread out across a large geographic area and have a certain amount of delay tolerance. Sweden-based pest control company Anticimex, for example, has smart traps that update the company about rodent activity through SMS.

Thread – Thread is a networking standard based on 6LoWPAN that was created by Google subsidiary Nest Labs, which you’ll doubtless remember for its Nest smart thermostat, arguably the first breakthrough smart home device. Since the summer of 2016, it’s been available to developers as OpenThread.

TR-069 (Technical Report 069) –This is a Broadband Forum specification document that outlines a protocol called CWMP designed to let users remotely configure and manage customer-premises equipment via an IP network. (“Consumer-premises equipment WAN Management Protocol,” for those keeping score at home.) It dates back to the earlier part of the century and was originally designed to help cable network operators manage gizmos like set-top boxes remotely.

Weave – Weave is Google and Nest’s software layer for smart homes. It’s designed with flexibility and security in mind, even for particularly constrained devices, and it’s based on Google’s existing Android platform. It’s also partially open source – Google has published what it calls “some of the core components” of Weave to GitHub.

Web Thing Model – This is the World Wide Web Consortium’s idea for a physical IoT framework, which, unsurprisingly, leverages existing web technology to connect devices, rather than relying on custom, non-web protocols.

XMPP (eXtensible Messaging and Presence Protocol) – A clear case of acronym abuse, XMPP began life as Jabber, an open source standard for chat clients that gained minor notoriety among players of certain online role-playing games. It has since become an IETF standard, with a vast range of extensions and implementations, many of which are aimed at core IoT functionality like discovery and provisioning.

Zigbee – Zigbee is a wireless-mesh networking protocol that boasts the rare combination of good battery life and decent security, thanks to built-in 128-bit encryption. That’s partially offset by a low maximum data rate and relatively short range, but there are plenty of constrained device applications for which it’s well-suited. It’s also an IEEE 802.15.4 standard, which provides a high degree of interoperability.

Z-wave – Like Zigbee, Z-wave is a low-power, short-range wireless network technology primarily used for applications like smart home devices. It’s standardized by the ITU.

Join the Network World communities on




to comment on topics that are top of mind.

Security News,IoT News

via IoT – Google News

October 30, 2017 at 10:28AM

Introducing GoCrack: A Managed Password Cracking Tool

Introducing GoCrack: A Managed Password Cracking Tool

FireEye’s Innovation and Custom Engineering (ICE) team released a
tool today called GoCrack that allows red
teams to efficiently manage password cracking tasks across multiple
GPU servers by providing an easy-to-use, web-based real-time UI
(Figure 1 shows the dashboard) to create, view, and manage tasks.
Simply deploy a GoCrack server along with a worker on every GPU/CPU
capable machine and the system will automatically distribute tasks
across those GPU/CPU machines.

Figure 1: Dashboard

As readers of this blog probably know, password cracking tools are
an effective way for security professionals to test password
effectiveness, develop improved methods to securely store passwords,
and audit current password requirements. Some use cases for a password
cracking tool can include cracking passwords on exfil archives,
auditing password requirements in internal tools, and
offensive/defensive operations. We’re releasing GoCrack to provide
another tool for distributed teams to have in their arsenal for
managing password cracking and recovery tasks.

Keeping in mind the sensitivity of passwords, GoCrack includes an
entitlement-based system that prevents users from accessing task data
unless they are the original creator or they grant additional users to
the task. Modifications to a task, viewing of cracked passwords,
downloading a task file, and other sensitive actions are logged and
available for auditing by administrators. Engine files (files used by
the cracking engine) such as Dictionaries, Mangling Rules, etc. can be
uploaded as “Shared”, which allows other users to use them in task yet
do not grant them the ability to download or edit. This allows for
sensitive dictionaries to be used without enabling their contents to
be viewed.

Figure 2 shows a task list, Figure 3 shows the “Realtime Status” tab
for a task, and Figure 4 shows the “Cracked Passwords” tab.

Figure 2: Task Listing

Figure 3: Task Status

Figure 4: Cracked Passwords Tab

GoCrack is shipping with support for hashcat v3.6+, requires no
external database server (via a flat file), and includes support for
both LDAP and database backed authentication. In the future, we plan
on adding support for MySQL and Postgres database engines for larger
deployments, ability to manage and edit files in the UI, automatic
task expiration, and greater configuration of the hashcat engine.
We’re shipping with Dockerfile’s to help jumpstart users with GoCrack.
The server component can run on any Linux server with Docker
installed. Users with NVIDIA GPUs can use NVIDIA Docker to
run the worker in a container with full access to the GPUs.

GoCrack is available immediately for download along with its source
code on the project’s
GitHub page
. If you have any feature requests, questions, or bug
reports, please file an issue in GitHub.

ICE is a small, highly trained, team of engineers that incubate and
deliver capabilities that matter to our products, our clients and our
customers. ICE is always looking for exceptional candidates interested
in solving challenging problems quickly. If you’re interested, check
out FireEye careers.

Security News

via Threat Research Blog

October 30, 2017 at 10:24AM

Unencrypted USB stick with 2.5GB of data detailing airport security found in street

Unencrypted USB stick with 2.5GB of data detailing airport security found in street

If you were to see a USB flash drive just lying in the parking lot at work, then it would be a good bet that the USB stick was part of a pen tester’s trick to get inside a company’s network or a company’s test to determine which employee plugged it into a work PC and needs to attend awareness training. But a recently found USB memory stick, which not found in a parking lot but on a road, has caused one of the world’s busiest airports to launch an internal investigation as the USB drive contained confidential information that posed “a risk to national security.”

Heathrow Airport in London launched a “very, very urgent” investigation on Sunday after a man found a USB flash drive with detailed sensitive information about the airport’s security and anti-terror measures. The USB stick, which contained 2.5GB of data, was neither encrypted nor required a password to access it.

The USB drive was reportedly found in leaves on the street by an unemployed man; he plugged it in at a library where he was using a PC to search for a job. The USB stick contained 76 folders, packed with maps, documents and videos, even security measures to protect the Queen and the route she takes when using the airport. He did not hand the drive over to police, but to the Daily Mirror.

[ Learnhow to protect personally identifiable information (PII) under GDPR. | Get the latest from CSO by signing up for our newsletters. ]

At least 174 documents – some marked as “restricted” or “confidential” – were included in the 76 folders. The USB stick also contained maps, information showing how to access restricted areas such as tunnels and escape shafts as well as files on every type of ID needed to access those areas –“even those used by covert cops.”

It also mapped the location of CCTV cameras, routes used by British and foreign politicians and a timetable of security patrols guarding against suicide bombers and terror attacks.

The USB stick contained the route to the Royal Suite, the screening process at the Windsor Suite, listed those who are “exempt from screening” and even contained the radio codes to be used in case of an “aircraft hijacking.”

Other files included “details of the ultrasound radar system used to scan runways and the perimeter fence,” satellite images and operating manuals for the Doppler radar surveillance system as well as photos of X-ray machines and scanning equipment.

Since none of the data was encrypted, it was all accessible by anyone who had possession of the USB. So, was this a colossal lapse of security or did someone intend for the information to be released to the public?

The Daily Mirror quotes an unnamed expert who suggested the USB stick “is serving up intelligence on a plate to people” and the information could be helpful to future attackers.

Unnamed airport insiders told the newspaper that the USB stick “sparked a ‘very, very urgent’ probe and that it posed ‘a risk to national security’.”

However, the official statement by a Heathrow spokesperson claimed, “We have reviewed all of our security plans and are confident that Heathrow remains secure. We have also launched an internal investigation to understand how this happened and are taking steps to prevent a similar occurrence in future.”

Security News

via CSO Online

October 30, 2017 at 10:15AM

Worried About Breaking Your New iPhone? Get AppleCare, Not Carrier-Provided Insurance

Worried About Breaking Your New iPhone? Get AppleCare, Not Carrier-Provided Insurance

During the iPhone X pre-order rollout last Friday, Apple quietly updated their repair prices to include the new phone and one thing is perfectly clear: very expensive phones come with very expensive repairs and insurance isn’t really optional anymore.

Security News

via How-To Geek

October 30, 2017 at 10:14AM

Hacking site hacked by hackers

Hacking site hacked by hackers

We try not to guffaw at cybercrime, but sometimes – especially on a Monday just after the clocks have gone back to remind us that summer is very much over – we allow ourselves a wry smile.

As we did today on reading a report from our chums at Bleeping Computer in which a cybercrook turned on his fellow crooks by hacking their underground forum and saying he would expose them to the cops…

…unless they forked over $50,000:


Hello, you have only 24 hours to pay 50.000$ OTHERWISE YOU WILL BE 

The ebullient extortionist listed four examples of “relevant bodies”, all of them in the US: Homeland Security, the Treasury, the Department of Justice and, for good measure, the FBI. (We couldn’t help think that the Internal Revenue Service might be interested, too.)

According to Bleeping Computer, the crook uploaded some of his “proofs” to the Basetools hacking site itself, presumably to cause maximum embarrassment amongst the site’s criminal community.

These published “proofs” included a screenshot that’s supposed to show the web administration panel of the Basetools forum, listing the pseudonyms of the last 15 buyers and sellers, as well as the last 9 refunds.

Seems that the crooks have problems trusting each other on many different levels.

To pay or not to pay?

We don’t want to be seen as offering advice to cybercriminals, but we’d strongly urge against paying up in extortion cases like this.

It’s clear that the data has already been stolen – and some of it already shared with the world, let alone with US law enforcement – so paying now won’t do much good.

In ransomware demands, the extortion typically covers a decryption key for data that almost certainly wasn’t copied by the crooks – in other words, if you decide you aren’t going to pay up, the crooks have nothing further to squeeze you with.

But when the crooks already have copies of your data, and are threatening to besmirch, embarrass or defraud you by exposing it, paying the fee won’t do anything to stop them besmirching you anyway.

Or coming back for more money next week.

For what it’s worth, it seems that the Basetools site owners haven’t quite figured out what to do yet – at the time of writing [2017-10-30T12:00Z], their underground forum said:

One thing they definitely haven’t done yet is to read our highly educational article What you sound like after a data breach.

What to do?

Hackers hacking hackers sounds funny, and perhaps it is – but if hackers can be hacked, then so can you, if you aren’t careful.

We don’t know how this attack happened, but the obvious precautions you can take for your own online service include:

  • Patch promptly. If the crooks know what server software version you are using, and it has a known security hole, they may very well be able to break in automatically. In other words, if you haven’t patched, you’re the low-hanging fruit.
  • Choose decent passwords. If the crooks can guess your password, or if you used the same password on another site that already got hacked, then the crooks don’t need to do any hacking themselves – they can just login directly.
  • Use two-factor authentication (2FA). A one-time code that changes every time you login means that just guessing or stealing your password isn’t enough. If the code is calculated on or sent to your phone, then the crooks need your phone (and its unlock code) as well, which is a higher bar to jump over.
  • Check your logs. If you keep logfiles for auditing purposes, for example so you can check who logged in when, examine them proactively in order to find out about security anomalies sooner rather than later.

Honour amongst thieves, eh?

Security News

via Naked Security

October 30, 2017 at 10:11AM

Real-world networks for real-world solutions

Real-world networks for real-world solutions

As part of an ongoing commitment to accelerate the growth and adoption of Internet of Things (IoT) technology, Stream Technologies has deployed an array of incubator LoRa networks throughout the UK. With incubator networks deployed in Glasgow, Liverpool and London, Stream is providing an entryway into LoRa technology and encouraging collaboration between industry experts, academics and enterprises.

In line with the company’s objective to nurture the development of LoRa technology and foster growth throughout the industry, Stream’s incubator networks are entirely open to organisations who want to develop LoRa applications and test them in a real-world environment.

For many organisations and individuals, developing IoT projects in real-life conditions can prove challenging. For example, developing and testing smart city applications can be prohibitively expensive because of the lack of openaccess testing environments available. Developers in this field require consent from multiple parties, dedicated hardware, specialised software and network technology, as well as estates in which to create an effective test environment. This results in a heavy strain on finance and time. Stream’s incubator networks are designed to stimulate the development of IoT sensors and applications and to address the challenges of developing smart city solutions in real-life conditions.

Why LoRa?

Stream is supporting the development of LoRa technology because it’s the ideal fit for a wide-range of IoT use cases, ranging from smart cities and smart campuses to agriculture and industry. LoRa, developed by Semtech, is a wireless technology that supports long-range, low-power IoT communications.

LoRa use cases

Stream’s incubator networks are being harnessed by enterprises, start-ups and academic organisations as they develop and test LoRa-based applications. Stream’s testbeds are open to public and private sector organisations and enable the development of a wide-range of applications to support smart cities, smart campuses and smart airports. Some of the use cases that Stream’s networks are being used to develop solutions for include:

• Smart metering

The smart metering industry stands to benefit enormously from LoRaWAN technology. Since smart metering applications transmit low amounts of data, they are an ideal candidate for low-bit rate, low-power LoRa devices. While cellular connectivity usually incurs a monthly charge for line rental and data, LoRaWAN devices are much more cost-effective to use.

Thousands of smart meters can communicate with a single LoRa gateway up to 15 kilometres away, depending on urban density, with the geographical distribution of smart meters being supported by LoRa’s long-range functionality. Stream expects LoRaWAN to be used to deliver robust applications that add great value to smart meter operators, bringing reliability, accuracy and efficiency to smart metering solutions.

• Smart parking

The operational costs associated with parking infrastructure can be significantly reduced with a simple LoRaWAN smart parking deployment. LoRa sensors can be used to report on parking space occupancy, with the data being delivered in real time to the operator via Stream’s LoRaWAN network server. With real-time parking occupancy data, operators can direct drivers to empty parking spaces. LoRaWAN smart parking applications can also be used to increase staff productivity. For example, rather than ticket officers patrolling specific routes, their routes can be optimised to […]

The post Real-world networks for real-world solutions appeared first on IoT Now – How to run an IoT enabled business.

Security News,IoT News

via IoT Now

October 30, 2017 at 10:06AM