Tag Archive for NIST

| January 3, 2012
Comments Off on Internet of Things

Internet of Things

Internet of ThingsOnce upon a time, back in 2005, there was a time when “using the Internet” always meant using a computer. Today getting on the Intertubes is an expected feature for many devices. The next digital frontier is the physical world, where the “Internet of Things.” The Internet of Things will bring an online ability to objects.

Twine Sensor Connects Household Objects to the Internet

Twine Sensor Connects Household Objects to the Internet Tested.com notes a Kickstarter project from two MIT Media Lab alums who developed a way to make the Internet of Things more available. A small, durable “Twine” sensor listens to its environment and reports back over Wi-Fi. The creators hope their new product will let regular users, even those without programming knowledge, digitally manage their surroundings.

A basic Twine unit senses temperature and motion, but other options like moisture detection, a magnetic switch, and more can be added using a breakout board. The various sensors and built-in Wi-Fi can be powered by either a mini-USB connection or two AAA batteries, which will keep it running for months. Twine readings get wirelessly loaded into the appropriately named Spool web app, where users can set simple if-then triggers that create SMS messages, tweets, emails, or specially configured HTTP requests.

For a donation of $99 or more will get you a basic unit when they ship in March.

Related articles

THE SMART FRRRIDGE. Chilly Forecast for Internet Frrridge

Internet FridgeThe Smart Frrridge is a new version of the familiar kitchen apparatus. According to Medienturn the new fridge comes with a built-in computer that can be connected to the internet. It is one of a growing class known as “Internet appliances” that include not only smartphones but also web-enabled versions of typical household appliances.

The refrigerator keeps an eye on the food in it by using RFID technology, a digital camera, and image processing. These technologies allow the fridge to keep track of what’s in it, how long has this been there, should it be trashed?

To keep in contact with the Smart Frrridge all you have to do is to pick up your mobile phone and call. It will be able to suggest a menu that uses the foods inside and generate a shopping list of the missing ingredients and place the order online.

The Smart Frrridge cab also be used to watch television, listen to music, to take a photograph, save it to an album, or post it to a website, or send it to an email recipient. The comes with a docking station you can just dock in your Apple (AAPL) iPod or iPhone and start using all your favorite cooking apps.

Related articles

SCADA: How Big a Threat?

Cyber attackerThere are reports of two recent cyber attacks on critical infrastructure in the US. Threatpost says the hacker who compromised the water infrastructure for South Houston, TX, said the district used a three-letter password, making it easy to break in.

There are also reports that a cyberattack destroyed a water pump belonging to a Springfield, IL water utility. There are mixed reports that an attacker gained unauthorized access to that company’s industrial control system.

According to DailyWireless, Supervisory Control And Data Acquisition (SCADA) software monitors and controls various industrial processes, some of which are considered critical infrastructure.

Researchers have warned about attacks on critical infrastructure for some time, but warnings became reality after a highly complicated computer worm, Stuxnet, attacked and destroyed centrifuges at a uranium enrichment facility in Iran.

German cybersecurity expert Ralph Langner found Stuxnet, the most advanced worm he had ever seen. The cybersecurity expert warns that U.S. utility companies are not ready to deal with the threat.

In a TED Talk Langner stated that “The leading force behind Stuxnet is the cyber superpower – there is only one, and that’s the United States.”

In a recent speech at the Brookings Institution, he also made the bigger point that having developed Stuxnet as a computer weapon, the United States has in effect introduced it into the world’s cyber-arsenal.

Related articles

New NIST Report Sheds Some Light On Security Of The Smart Grid

NISTDarkReading reports the National Institute of Standards and Technology (NIST) released a report (PDF) by the Cyber Security Coordination Task Group. The report from the Task Group which heads up the security strategy and architecture for the nation’s smart power grid includes risk assessment, security priorities, as well as privacy issues.

The smart grid makes the electrical power grid a two-way flow of data and electricity allows consumers to remotely monitor their power usage in real-time to help conserve energy and save money. DarkReading says researchers have raised red flags about the security of the smart grid. Some have already poked holes in the grid, including IOActive researcher Mike Davis, who found multiple vulnerabilities in smart meters, including devices that don’t use encryption nor do they authenticate users when updating software. He was able to execute buffer overflow attacks and unleash rootkits on smart meters.

Tony Flick, a smart grid expert with FYRM Associates, at Black Hat USA talked (PDF) about his worries over utilities “self-policing” their implementations of the security framework. “This is history repeating itself,” Mr. Flick said in an interview with DarkReading.

According to DarkReading, the report recommends smart grid vendors carry out some pretty basic security practices:

  • Audit personally identifiable information (PII) data access and changes;
  • Specify the purpose for collecting, using, retaining, and sharing PII;
  • Collect only PII data that’s needed;
  • Anonymize PII data where possible and keep it only as long as necessary;
  • Advanced Metering Infrastructure (AMI) must set up protections against denial-of-service (DoS) attacks;
  • Network perimeter devices should filter certain types of packets to protect devices on an organization’s internal network from being directly affected by denial-of-service attacks;
  • The AMI system should use redundancy or excess capacity to reduce the impact of a DoS;
  • AMI components accessible to the public must be in separate subnetworks with separate physical network interfaces;
  • The AMI system shall deny network traffic by default and allows network traffic by exception;
  • Consumers’ access to smart grid meters be limited. Authorization and access levels need to be carefully considered.
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , , ,
| July 28, 2009
Comments Off on Feds to Test IPv6

Feds to Test IPv6

Feds to Test IPv6NetworkWord is reporting that the U.S. government has reportedly launched a comprehensive product testing program for IPv6. The new program, USGv6 Test Program, will be run by the National Institute of Standards and Technology (NIST) will require all network hardware and software vendors to pass IPv6 compliance and interoperability tests before they can sell their products to the U.S. federal government market.

NIST logo

The NIST IPv6 test plan covers basic IPv6 functionality as well as related standards such as IP Security (IPsec), Internet Key Exchange (IKEv2 ), Dynamic Host Configuration Protocol (DHCPv6), Open Shortest Path First (OSPFv3), Border Gateway Protocol (BGP4+) and multicast requirements in MLDv2.

The USGv6 program will allow vendors to run IPv6 compliance tests in their own labs as long as it is accredited by NIST, but they must run IPv6 interoperability testing in someone else’s lab. Erica Johnson, Director of the University of New Hampshire InterOperability Laboratory told NetworkWorld, “The way that the NIST profile is going to work is that conformance testing can be done in an accredited first-party [vendor], second-party [buyer] or third-party [independent] lab…But the interoperability testing must be done in a second-party or third-party lab.”

The time frame for the USGv6 Test Program is tight. NIST is expected to publish this week [July 31] the final version of its IPv6 test specifications aka Special Publication 500-273 and to finalize its test plan in November 2009. Testing labs are to be accredited before the end of the calendar year. Network vendors will have six months to get their routers, operating systems, firewalls and other security systems through IPv6 testing before the federal government’s July 2010 acquisition deadline.

By July 2010, federal agencies will be required to buy only hosts, routers, and network security systems that have been tested for IPv6 compliance. Vendors must issue a “Suppliers’ Declaration of Conformity” that states host and router products have been tested for IPv6 compliance and interoperability, while security products must undergo functional IPv6 testing. All of the testings must be done in NIST-accredited labs.

rb-

It’s about time – I have included IPv6 requirements in RFP’s for over 6 years. It is amazing to watch the vendors tap-dance around what IPv6 compatibility means. Only some of these products from Cisco or Foundry Brocade are IPv6 compatible depending on the image you buy. I guess the real trick will be to get a “Suppliers’ Declaration of Conformity” if you are not a Fed.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| April 8, 2009
Comments Off on Feds Aim to Nationalize Private Networks

Feds Aim to Nationalize Private Networks

Feds Aim to Nationalize Private NetworksIn the tradition of federalization of the auto industry. And in keeping with promises made in the 2008 campaign. The Obama administration and Democrats in Congress are proposing to increase cybersecurity by federalizing networks. The legislation, co-sponsored by Senate Commerce Committee Chairman John D.”The Internet Should Never Have Existed” Rockefeller IV (D-W.Va.) and Sen. Olympia J. Snowe (R-Maine), was drafted with White House input.

Office of the National Cybersecurity AdviserThe Rockefeller-Snowe measure would create the Office of the National Cybersecurity Advisor, the White House cybersecurity “czar.” The czar would report directly to the president and would coordinate defense efforts across government agencies. The proposed bills go beyond securing government networks and puts the White House in charge of the security of private networks with the authority to shut them down. Under the guise of “critical infrastructure”, the Feds are going to nationalize banking, utilities, air/rail/auto traffic control, and telecommunications networks.

The new rules are proposed in two senate bills, S.773 the Cybersecurity Act of 2009, and S.778. S.778 is a bill to establish, within the Executive Office of the President, the Office of National Cybersecurity Advisor. S.773 is “A bill to ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cybersecurity defenses against disruption, and for other purposes.”

NIST logoIt would require the National Institute of Standards and Technology to establish “measurable and auditable cybersecurity standards” that would apply to private companies as well as the government. It also would require licensing and certification of cybersecurity professionals.

Director of National Intelligence Dennis C. Blair acknowledged there will be privacy concerns about centralizing cybersecurity, and he told the Washington Post that the program should be designed in a way that gives Americans confidence that it is “not being used to gather private information.”

rb-

How does the Obama Cyber Czar plan to ensure the continued free flow of commerce when they take the Telco networks off-line. In case they haven’t noticed, the telcos provide most of the long-haul interconnect for the Internet. If the Obama Cyber Czar decides to take the banks offline, there are going to be bigger problems. Can you say bank run? I will pull my cash out at the local branch.

Finally, this is a bad policy, because the Security Czar is a political appointment and network security is too important to be left to politics unless of course, it is in the corporate boardroom.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
  Recent Entries »