Monday, January 16, 2017

What is Fog Computing ?



Cloud models for IoT are not designed for the volume, variety and velocity of data that the IoT generates. Billions of connected IoT devices generate a huge amount of data every day. Moving all the data to the cloud for analysis would require bandwidth and time. By the time the data goes to the cloud for analysis, the opportunity to act on it may not remain. And, to address that concern fog computing is developed.


What is Fog Computing ?

 





The term fog computing refers to extending cloud computing to the edge of an enterprise’s network. As said above, IoT devices consume cloud services and generate a huge amount of data. Using fog computing, the data gathered by the IoT devices can be processed close to where the data is generated up to certain extent, instead of analyzing the whole of it in the clouds.

For computing does the following:

  • Instead of sending the vast amount of data collected by the IoT devices to the cloud, it analyzes the most time-sensitive data nearer to the devices.
  • It sends selected data to the cloud for historical analysis and longer-term storage.

The fog brings the cloud closer to the IoT devices that collect the data. The devices called fog nodes can analyze the data collected up to a certain extent. Any device with computing, storage and network connectivity like an industrial controller, switch, router, embedded server and video surveillance camera can be a fog node. And, these fog nodes can be deployed anywhere with a network connection, like on a factory floor, on top of a power pole, in a vehicle etc. These fog nodes run IoT enabled applications & can respond in milliseconds. They can also provide a transient storage for a couple of hours.

These fog nodes can analyze almost 40 percent of data being collected. As a result, it minimizes the latency of the IoT devices, offloads traffic from the core network and can keep sensitive data inside the network, instead of transferring it to the cloud for analysis.

Fog nodes get the data collected from the IoT devices and then directs different types of data to different places for analysis.

  • The most time-sensitive data is analyzed on the fog node closest to the IoT devices that collect the data.
  • If the data can wait for seconds or minutes, they are sent to aggregation nodes for analysis.
  • Less time sensitive data is sent to the cloud for historical analysis, big data analytics and long term storage.


Advantages of Fog Computing


There are a number of advantages of using fog computing.


  • As said earlier, as fog applications can monitor and analyze data collected by IoT devices in real-time, it can enable the devices to respond immediately and initiate an action, like locking a door, changing equipment settings, zooming cameras, opening a valve etc in real-time.
  • As fog computing can speed up response of IoT devices, it can improve output of the devices and increase safety. For example, if oil pipelines experience a change in pressure, pumps can automatically slow down to avoid disaster.
  • Fog applications can analyze collected sensitive data locally instead of sending it to the cloud for analysis. As a result, they can provide better privacy controls.
  • As fog applications process selected data locally, they can conserve network bandwidth and lower operating cost.


Applications of Fog Computing


There are several applications of fog computing.

Smart Grids


A smart grid is an electricity distribution network, with smart meters deployed at various locations to measure real-time status information. These information collected by the smart devices can be analyzed in real time by the fog nodes and enable real-time responses, like stabilizing a power grid in response to a change in demand or other emergency.

Smart Vehicles


Fog computing can be integrated into vehicular networks. Fog nodes can be deployed along the roadside and send or receive information to or from the running vehicles. It can also utilize vehicles on-the-fly to form a fog and cloud and support real-time events like traffic light scheduling, congestion mitigation, parking facility management etc.

Healthcare


Health data collected from the patients are by the IoT devices are sensitive and private in nature. With fog computing, the collected data can be analyzed in real-time locally, instead of sending it to the cloud for analysis. As a result, fog applications can maintain privacy of data in a better way.

Smart Cities


Fog computing can be used efficiently in smart cities. Data collected by the smart devices can be analyzed by the fog nodes to control traffic congestion, public safety, high energy use and municipal services in real-time. Moreover, cellular networks often have bandwidth limits which does not meet the requirements all the time. In fog computing, data can be analyzed by fog nodes locally up to a certain extent and thus can optimize network usage.

Smart Buildings


A smart building may contain thousands of sensors to measure various parameters like temperature, keycard readers, parking space occupancy etc. Using fog computing to analyze the data can enable real-time actions like controlling lighting, triggering alarms or addressing other emergency situations.

Security


Often video cameras are used to monitor public places like parking lots, buildings etc for enforcing security. Data collected by those devices needs a large bandwidth to be able to be transported to the cloud for analysis. Using fog computing, the collected data can be analyzed in real-time to monitor and detect anomalies and respond to it accordingly.


Thursday, January 12, 2017

Smart Contracts and Blockchain



Smart contracts are computer protocols that can facilitate, verify or enforce the negotiation or performance of a contract or make a contractual clause unnecessary. They usually have a User Interface and can emulate the logic of contractual clauses. The can execute the terms of a contract in an automated way. They can make contractual clauses partially or fully self-executing and self-enforcing.

Usually users need to go to a lawyer or a notary and pay them to get the document. In case of smart contracts, one has to pay with cryptocurrency and the smart contract is created. A smart contract do not only define rules and penalties in an agreement, but also can enforce them in an automated way. It is usually written as code, that is placed in a blockchain. At triggering events like an expiration date etc the contract is executed according to the coded terms.


How is Blockchain used in Smart Contracts





Smart contracts are implemented using blockchain. Once a smart contract is created, it is placed in a blockchain. It typically works in the following way:

  • A user requests a transaction. The transaction can involve contracts, records or cryptocurrency.
  • The request is broadcast to a P2P network consisting of computers, called nodes.
  • The transaction and the user’s status are verified using known algorithms.
  • On successful verification, the verified transaction is added to a block along with other transactions.
  • The block is added to the blockchain.

Regulators can use the blockchain to learn about the current activities in the market. At the same time, the individuals involved can remain anonymous and maintain privacy.



An Example of using a Smart Contract





Let’s understand the whole concept with a very simple example.

Suppose Adam wants to rent a property from Bob. To do that, Adam would need to pay using cryptocurrency through blockchain. A smart contract would be created between Adam and Bob, where the terms will be written as a code. The smart contract would be placed in the blockchain.

Bob would then need to provide a digital key by the effective date of the agreement. On the effective date of the agreement, the appropriate terms would be executed and Adam would get the property, while Bob would get the payment. So, even if Bob releases the digital key before the effective date of the agreement, blockchain will hold the key and it will get released only the scheduled date. And, if Bob is unable to release the digital key, Adam would automatically get refunded. The terms of the smart contract will be automatically executed and the smart contract will get expired automatically after the scheduled period.


Advantages of Smart Contracts


There are a number of advantages of using a Smart Contract.

  • Smart Contracts eliminate the need of any intermediary like a broker, lawyer etc.
  • The documents are encrypted in blockchain, which makes it much more secure. Also, the involved parties can be anonymous and maintain privacy.
  • Usually a user has to spend lots of time for paperwork or to manually process documents. Smart contracts can automate the whole process, thereby saving time.
  • As smart contracts eliminate the need of intermediaries, it saves costs involved in the whole process.
  • As smart contracts are executed in an automated manner, it helps in avoiding errors that result from manual execution.


Applications of Smart Contracts


There are many applications of smart contracts.

  • One can use smart contracts for all sort of situations ranging from financial derivatives to insurance premiums, breach contracts, financial derivatives, credit enforcement, legal processes, property law or even crowd funding agreements.
  • Smart contracts can be used to facilitate business operations that usually go through lots of issues resulting from independent processing and lawsuits and settlement delays.
  • Smart contracts can be used in contracts involving shares, bonds or derivatives. It can also facilitate mortgage, which is often manual and confusing. Smart contracts can automate every aspect of the transaction including payment processing and signing mortgage agreements.
  • Smart contracts can be used in property transfers and can improve transaction integrity, efficiency and transparency.
  • Smart contracts can be used in supply chain along with IoT to track managed assets and products from factories.
  • Smart contracts can automate insurance claims and speed up processing, verification and payment.
  • Smart contracts can also be used in clinical trials and medical research studies to facilitate many sensitive agreements like involving cross-institutional data sharing.
  • Smart contracts can be used in cancer research automating patient data consent management and incentivizing data sharing.
  • Smart contracts can also be used in a blockchain protected voting system to facilitate secure voting and improve voter turnout.


Thus smart contracts can eliminate intermediaries in a contract and save time, extra costs and increase security in a negotiation. This was a short introduction to smart contracts. Hope it helped.

Sunday, December 4, 2016

Infographic: How To Backup Data




Symmetric Key Encryption vs Public Key Encryption



If we want to safeguard our data from theft or protect our privacy, encryption is the most feasible option. It converts our sensitive data to something that can be read only by authorized people. 

Nowadays, there are many encryption solutions available and we get many options while encrypting our data. Some of them use symmetric key encryption and some use public key encryption. But, what are symmetric key encryption and public key encryption actually? How do they work and how are they different from each other? In this article we would discuss about that.



What is Encryption ?

Encryption is a process which takes as input a plaintext message and converts it into an encoded message called ciphertext, such that only authorized people can read it. And, decryption is the opposite process. It takes as input a ciphertext message and converts it back into the original plaintext message. These encryption and decryption processes take help of secret keys to perform these actions. The secret key used in encryption process is called an encryption key and the secret key used in the decryption process is called the decryption key.


What is Symmetric Key Encryption ?


As said above, encryption and decryption processes take help of encryption key and decryption key respectively to encrypt or decrypt data. symmetric key encryption is an encryption process in which the same secret key is used during both encryption and decryption. We call the secret key symmetric key. So, if we encrypt a file using a symmetric key encryption using a secret key, we would have to use the same secret key at the time of decryption also.


This symmetric key encryption can use either stream ciphers or block ciphers.


Stream Ciphers

In stream ciphers, each plaintext digits is taken one by one from the plaintext message and encrypted using a keystream. A keystream is basically a stream of pseudo random characters used as keys. At the time of encryption, each plaintext digit is taken one by one and is encrypted with corresponding digit of the keystream.


This stream cipher can be of two types:


  • Synchronous Stream Cipher
  • Asynchronous Stream Cipher


In synchronous stream cipher, the keystream does not depend on the plaintext or the ciphertext message. It is generated independently. 

In case of synchronous stream ciphers, the sender and the receiver of the encrypted message must be in the same step for the decryption to be successful. If a digit is added or removed at the time of transmission, the synchronization will be lost. In practical implementation though various methods are used to restore the synchronization, if it gets lost.


In asynchronous stream cipher, N number of previous ciphertext digits are used to compute the keystream. This N can vary with the implementation. In asynchronous stream cipher, the receiver of the ciphertext message can automatically synchronize with the keystream generator after receiving N ciphertext digits, which makes it easier to recover if digits are added or lost at the time of transmission.


Because of their speed and simplicity of implementation in hardware, stream ciphers are often used. RC4, A5/1, A5/2, FISH, Helix, ISAAC etc are a few stream ciphers that are commonly used in many software.


Block Ciphers

In block ciphers, the input plaintext message is divided into a number of blocks of some fixed length and each block is then encrypted with the help of symmetric key.


If a message produces the same ciphertext message each time it is encrypted with a symmetric key, then the encryption process is supposed to be weak. Because in that case, the attacker can observe the bit patterns in the ciphertext message and guess the plaintext message. So, an Initialization Vector is often used for that purpose. An Initialization Vector is basically a pseudorandom value which is used along with the symmetric key at the time of encryption. It can randomize the plaintext message, so that the same plaintext message produces different ciphertext messages each time it is encrypted even with the same symmetric key.


Block ciphers are widely used in many software. Data Encryption Standard or DES, RC5, Advanced Encryption Standard or AES, Blowfish are some examples of block ciphers.



What is Public Key Encryption ?


As discussed already, symmetric key encryption uses the same secret key at the time of encryption and decryption of data. But, this may be inconvenient at times. For example, if two users want to transfer some encrypted message between them over the internet using symmetric key encryption, they would need to share the secret key with each other. And, this may not be possible all the time. And, to address that public key encryption is used.


Public key encryption is an encryption process in which two different keys are used at the time of encryption and decryption. Typically, one key is used at the time of encryption and the other one is used at the time of decryption. These are called private key and public key.


Each user who wants to use public key encryption has to create a keypair consisting of a public key and a private key. The private key must be kept secret with the user and the public key can be distributed with others who want encrypted communication with the user.


If a plaintext message is encrypted with the private key, it can be decrypted with the public key. And, if it is encrypted with the public key, it can be decrypted with the private key. And, this makes public key encryption much convenient to be used in encryption, decryption and in making digital signatures.


If Alice wants to send an encrypted message to Bob, she would need to encrypt the message using Bob’s public key. Bob can decrypt the message using his private key and read. As the private key is kept secret to Bob, only Bob would be able to decrypt the message and read.


But, at the same time, Bob may need to make sure the encrypted message is sent by Alice only and not by anyone else using Bob’s distributed public key. Digital Signatures are used for that purpose. Alice can make a digital signature of the message using her private key and send it to Bob along with the original encrypted message. Bob can verify the digital signature using Alice’s public key. As no one else knows Alice’s private key, Bob can be sure that Alice only has sent the encrypted message.


Thus, public key encryption can be used conveniently for encryption, decryption and digital signatures. DSA, RSA, PGP use public key encryption. PGP though can use both symmetric key encryption and public key encryption depending on the application.

Saturday, December 3, 2016

What is 2 Factor Authentication ?



We often use a combination of username and password to authenticate ourselves. But, this is not secure enough. We often get to hear about data breaches using weak passwords or password reuse. We are also aware of malware like keyloggers that can steal passwords of users. And, a feasible way to address that problem is to use 2 Factor Authentication.




What is 2 Factor Authentication ?


We often use several pieces of information to prove our identity at the time of authentication, such that no unauthorized person can know the information. These are called factors of authentication. For example, a password, a PIN, a security question etc are authentication factors.


There are mainly three types of factors that are commonly used for the purpose of authentication.


  • Knowledge Factor
  • Possession Factor
  • Inherence Factor


Knowledge Factor


A knowledge factor refers to a piece of information that the user only knows. For example, a password or a PIN is considered to be a knowledge factor. A security question is also a knowledge factor, though it is considered to be a weak factor. An attacker can do enough research on the victim and find the information used.


Possession Factor


A possession factor refers to something that the user has. A hardware token used at the time of authentication can be considered to be a possession factor. Authentication using ATM card is also a good example of possession factor. As anyone without physically possessing the possession factor cannot authenticate, authentication using possession factor is considered to be quite secure. But, it may prove to be inconvenient at times as the user always has to keep the possession factor along with him in order to authenticate himself.


Inherence Factor


Inherence factor refers to something that is an essential characteristic of the user. Authentication using biometrics like fingerprints, iris or voice can be a good example of inherence factor. This method of authentication is supposed to be quite secure.




Any authentication process that uses only one of the above factors is called a single factor authentication. A multifactor authentication is an authentication process that uses more than one of the above factors. And, a 2 Factor Authentication or 2FA is authentication using two of the above three factors.


Authentication using ATM card and PIN is a good example of 2FA. Here, the ATM card is the possession factor and the PIN is the knowledge factor. Authentication using password and One Time Password (OTP) sent to the user’s mobile phone is also an example of 2FA. Here, the password is the knowledge factor and the user’s mobile is the possession factor.




How secure is 2 Factor Authentication using OTP sent to mobile phones ?


Many websites use 2FA using password and an OTP or One Time Password that is sent to the mobile phone of the user at the time of authentication. This can be considered as 2FA, though it does not provide very strong security. Attackers can infect the user’s mobile phone with malware or perpetrate a Man-In-The-Middle Attack to steal the OTP from the user’s mobile phone and authenticate to the system without physically possessing the mobile phone. 2FA using a hardware token instead is considered to be more secure.


Another option that users can use for 2FA is using Google Authenticator. In this method, the user has to install the Google Authenticator application in his mobile phone and do some setup beforehead. Later, when the user wants to authenticate to any website, he has to run the application. The application will show a 6 digit code and sends the same code to the website at the same time. The website then asks the user to enter the 6 digit code and verifies it with the sent code. As the website has to provide a shared secret key to the user to store it in the application at the time of setup, an attacker will need to get the shared secret key or physically possess the mobile phone to be able to authenticate to the account.


Thus, 2 Factor Authentication using mobile phones does not provide very strong security. But, surely it is more secure than using single factor authentication and more convenient than using a hardware token.


Nowadays, many website provide the option of using 2FA. Users should enable it wherever possible to secure the account in a better way.

Friday, December 2, 2016

What is Social Engineering ?


We often hear the term “social engineering”. It is a technique commonly used by the attackers to spread malware or steal sensitive data from the victims. What is this social engineering actually? How do attackers use this for malicious purposes and how can we safeguard ourselves? In this article we would discuss about that.




What is Social Engineering


Sometimes we think in certain ways that deviates from being rational or showing good judgment. These are called cognitive biases. These cognitive biases are often maliciously exploited by the attackers in perpetrating cyber crimes. Social engineering is a technique based on these cognitive biases of common people.


Social engineering refers to the psychological manipulation of people with the purpose of deceiving them in performing malicious actions like installing a malware or divulging sensitive information, which otherwise the victims would not be doing.




Types of Social Engineering


There are several types of social engineering.


Pretexting
In pretexting, criminals create an imaginary scenario to convince a user to divulge sensitive information or perform other actions that solve the malicious purposes of the attackers. The attackers often do this by researching and exploiting the information to impersonate a legitimate authority and deceiving the user. A very good example can be impersonating a tax authority and deceiving a victim in divulging sensitive information. Another example may be, impersonating a coworker who has some urgent problem and requires access to additional network resources.


Baiting


Baiting is like a real world Trojan Horse. Attackers use some physical media to lure the victims and exploit the curiosity or greed of the victims to victimize them. A very good example can be to leave a malware-infected USB drive in public places and wait for victims. If a victim, out of curiosity takes the USB drive and inserts it into his computer, his computer will be infected with malware and give access of that to the attackers.


Quid Pro Quo


In this technique, attackers lure the victims in divulging sensitive information in return of something very cheap. A good example can be, offering icecreams or chocolates to young people to make them divulge their sensitive passwords.


Scareware


Scareware involves scaring the victim into thinking that his computer has some technical problem or the computer is infected with some malware, that needs immediate removal. This technique is often used by the attackers to trick users in installing rogue anti-malware, that itself installs malware in the computer.


Phishing


Phishing is a technique widely used by the attackers to deceive victims into divulging sensitive information or installing malware in their computers. The attackers typically sends an email purportedly from a legitimate authority and requests to verify some details by clicking on a link or by opening a malicious attachment. The attackers typically use threats and creates a sense of urgency to the users, so that users get worried and fall victims.


Vishing


In this technique, the attackers use a rogue Interactive Voice Response or IVR system to recreate a legitimate-sounding copy of a bank or other legitimate authority and use that for phishing. Attackers often send the victims some legitimate looking numbers to verify some details and when the victims make a call, they are deceived to divulge passwords, PINs or other sensitive information. In some cases, the attackers ask the victims to login using the IVR and reject the credentials continually, so that the victims type in the credentials multiple times or are are tricked to type in multiple passwords.




Methods used in Social Engineering


Attackers can use several methods in social engineering.


Email from a friend


Attackers can spoof email address of a friend or relative and send a phishing email to the user. As the email contains email address of a friend or relative, it becomes more difficult for the victims to detect such scams.


Containing a link


Attackers often send emails containing a link that points to some malicious website. The website may spread malware or it may be a clone of a legitimate website that is used by the attackers to trick users in divulging sensitive information.


Containing attachment


Attackers often send an email requesting the victim to verify some details by opening a malicious attachment and when the attachment is opened, the computer gets infected with malware.


Urgently asking for help


Attackers can send emails urgently asking for help. They may talk about an imaginary situation and ask the victim to send money to the sender.


Asking for donation


Attackers may send emails asking for donation for their charitable fundraiser and instruct the victim how to send money.


Asking to verify some information


Attackers may send some malicious attachment and trick the user in opening it by requesting to verify some information. The attackers often create a sense of urgency through the email to increase the probability that the email will be opened by the victim.


Notifying you are a winner


Attackers may send an email claiming to be from a lottery, a dead relative or some other wealthy person who wants to transfer money to the victim’s bank account and thus trick the victim in clicking a link or attachment or divulging sensitive personal information.




Prevention


We can always take a couple of steps to protect ourselves in a better way:


  • If an email gives a sense of urgency to click on a link, open an attachment or reveal any sensitive information, slow down and think twice to perform any action that the sender wants you to do.
  • If an email looks suspicious, spend some time to research the facts. Sometimes some simple google searches help us a lot in preventing problems.
  • Delete emails that request to divulge credentials or other sensitive information. They are surely scams.
  • Reject requests coming from an unknown person that ask for help via emails.
  • Do not click on any link in a suspicious email sent by an unknown sender.
  • Do not open attachment of emails sent by unknown senders.
  • Email spoofing is widely used by the attackers to trick victims. So, if you get an email containing email address of a friend or relative in the sender fiend but looks suspicious, do not click on any link in the email or open any attachment.
  • If you receive an email offering a foreign lottery or sweepstakes, money from an unknown user or funds from foreign country in return of divulging personal information, delete the email immediately.
  • If an email looks suspicious, confirm with the sender offline before responding to the email. It is better to be safe than sorry.
  • If you think an email is a spam, mark it so in the spam filter. Spam filters often use machine learning in detecting spam emails. By marking an email as spam helps the spam filters to learn about spam emails in a better way and detect future spams better.
  • Last but not the least, keep your operating system, browser and other commonly used software updated with recent security patches. Configure proper firewalls. Use anti-malware solutions from trusted sources and keep them updated regularly.