Tuesday, September 27, 2016

How the next Edward Snowden should access Internet for maintaining privacy? - Rethink VPN & TOR

In the present era of Mass Surveillance by intelligence agencies like NSA, GCHQ & RAW, you should know that every border you cross, every purchase you make, every call you dial, every cell phone tower you pass, friend you keep, article you write, site you visit, subject line you type, and packet you route is in the hands of some electronic system whose reach is unlimited, but whose safeguards are questionable. This amount of metadata collected about you is more than enough to create simulations of you and predict your behaviour in any given circumstance. It involves a systematic interference with individual’s right to privacy in terms of subjection to significant indiscrimination, monitoring and censorship. Hence, Privacy & Anonymity are rising concerns among informed citizens, journalists, whistleblowers and Edward Snowdens of the world.

When it comes to technology, privacy and anonymity enthusiasts extensively use encrypted proxy services like VPN & TOR Anonymity network to hide their identities & activities online. But let’s understand how useful & worthy they are, what are the differences and how can we leverage the potential of both.

VPN is faster than TOR, and is suitable for P2P downloading. The major downside however (and reason VPN is said to provide privacy rather than anonymity) is that it requires your trust the VPN provider. This is because, should it wish to (or is compelled to), your VPN provider can “see” what you get up to on the internet. VPN also allows you to easily spoof your geographic location.

On the contrary, TOR is much slower because of the built-in Onion Routing, is often blocked by websites, and is unsuitable for P2P, but it does not require your truston anybody, and is therefore much more secure & truly anonymous.

Interestingly, VPN & TOR can be clubbed and used together in order to provide an extra layer of security, and to mitigate some of the drawbacks of using either technology exclusively. The main downside, however, of doing so combines the speed hit of both technologies, making connections more secure but slow. It is also important to understand the difference between connecting VPN to TOR and connecting TOR to VPN for accessing the Internet. Order Matters!

Sunday, August 28, 2016

Dark-Side of Internet of Things (IOT): Security & Privacy Challenges

Recently, I was invited to deliver a talk at the Global IOT Conclave held at The Chancery Pavilion, Bangalore. The talk focussed on the Dark-Side of Internet of Things specific to Security & Privacy Challenges in IOT. Here’s the digest of the presentation.

  • Why is everything getting Smart with the advent of IOT?  Sensors or Cloud or M2M.
  • IOT is bridging the gap between the Physical world & the Digital world and how Digital threats are becoming Physical threats?
  • Top IOT Hacks: Chrysler's Jeep Cherokee, Mattel's Wi-fi Hello Barbie.
  • Eavesdropping through microphones of Smart Dolls, Smart Teddy Bears & Smart TVs. What if the smart doll teaches offensive things to your kid.
  • Exploitable Smart Refrigerators, Smart Thermostats, Smart Insulin Pumps. How Smart TVs have been hacked & infected by malware for automated Ad Clicks and Cryptocurrency mining.
  • IOT Ransomeware is now reality. How much someone would be willing to pay to remove ransomware from a Smart Pacemaker?
  • Denial of Service (DOS) attacks on & through IOT devices. How hackers can turn a Smart Fridge into a spam-bot?
  • Why can't we make smart devices smart enough to be secure? The IOT Security Challenges: Resource Constraints, STRIDE Threat vectors.
  • Security vs Privacy vs Anonymity. Importance of Trust in IOT Privacy.
  • Security by Obscurity vs Security by Design: Proprietary protocols, indigenous hardware & air-gapped networks.
  • Security can not be an afterthought. It has to considered & implemented in all of stages of IOT Business: Planning, Design, Implementation, Verification, Validation, Deployment & Operations.
  • IOT Business Model needs to change. Earlier we used to Build product, Ship them & forget about them until we had to Service them, but now we have to Ship & Remember.

Below is the presentation for the delivered talk.

Friday, June 3, 2016

Touring the Dark-Side of Internet: A Journey through IOT, TOR & Docker

Recently, I had the privilege of delivering a talk at ThoughtWorks GeekNight Hyderabad along with my co-speaker @Sarath. The session focussed on the Dark-Side of Internet touching upon the following theme.

With the advent of IOT, Every 'Thing' is getting Smart, starting from the range of smartwatches, smart refrigerators, smart bulbs to smart car, smart healthcare, smart agriculture, smart retail, smart city and what not, even smart planet. But why is every thing getting smart? Is it just a marketing gimmick? 

People are trying to bridge the gap between Digital World & Physical World by means of ubiquitous connectivity to Internet, and when digital things become physical, digital threats also become physical threats. Security & Privacy issues are rising as never before. What if the microphone in your smart TV can be used to eavesdrop the private communications in your bed room? What if a smart driverless car deliberately crashes itself into an accident? What if you want to be Anonymous over Internet and don't want anybody to track you? 

The talk focused on answering the above questions with a view on 'What are we currently doing to protect ourselves' and 'What we need to do'. What are the new security challenges that are coming up and how privacy & anonymity is taking the lead over security. The talk also sensitised the audience about the paradigm shift that is happening in IOT DevOps, with help of Docker Containers and how they can be anonymised using TOR.

The detailed Agenda of the delivered talk:

Friday, April 1, 2016

Digital Disruption - Facts to ponder!

Why didn’t a cab driver think of Ola or Uber? 
Why didn’t a Shopping Mall owner think of Flipkart? 
Why didn’t a Theatre owner think of BookMyShow? 
Why didn’t Airtel or Vodafone think of Paytm? 
Why didn’t Taj or Marriott think of GoIbibo? 

The answer to all above, and the myriad of all other companies displaced by digital disruption, is that at some point they became so busy and coupled with the ongoing need to meet or exceed the quarterly numbers, that they forgot to look far enough outside of their business to see the disruption ahead. A quite convincing reason why so many companies fail to face the disruption is that when someone from the outside uses digital disruption to disrupt you, the strategy most often invoked is to protect and defend the status quo. It is amazing how much time and money organizations spend protecting and defending their current ‘cash cows’. In the past this was a valid strategy that did produce good results. But digital disruption is different. Because it tends to be game-changing with a very low cost of entry, it is not hard for a small startup to quickly disrupt not only a big business, but even an entire industry.

But, why all this is happening now? What is digital disruption?

Remote Desktop Connection to Abhinav's Mac On Cloud.