November 2014IBM Security Systems

IBM X-Force Threat Intelligence Quarterly, 4Q 2014Get a closer look at today’s security risks—from new threats arising from within the Internet of Things, to the sources of malware and botnet infections.

2 IBM X-Force Threat Intelligence Quarterly 4Q 2014

2 Executive overview

3 Securing the new world of the Internet of Things

8 Reputation counts: The sources of malware and botnets

14 About X-Force

15 Contributors

15 For more information

As the end of the year draws near, the IBM® X-Force® research and development team takes a closer look at the security trends shaping our world. In particular, this report examines how the Internet continues to connect more people, places and things, resulting in a new range of security risks.

First, let’s look at security for the Internet of Things. The ubiquitous connectivity of the “things” that enrich our lives, from thermostats to automobiles to medical devices, means software development is happening adjacent to cutting-edge technology developed by hardware manufacturers. The security industry can help guide the development of security practices for embedded software from near-inception. Not only would this create a new era of secure software, it would save a world of potential breaches from impacting the Internet of Things.

In a November 2014 report, analysts estimated that the Internet of Things will represent 30 billion connecting “things” by 2020, growing from 9.9 billion in 2013. These connected “things” are largely driven by intelligent systems—all collecting and transmitting data.1 This connectivity is changing the way we live and creating new questions about personal privacy, marketing and Internet security as “things” are manufactured and sold to consumers.

Malicious actors intent on taking control of data, identities and passwords have been investigating and making use of Internet-connected devices that are not securely developed, making

Executive overview

Contents

them easier targets than PCs, laptops or tablets. It’s critical now, more than ever, for organizations and the employees utilizing this nascent technology to consider the risks as they connect to the enterprise safety zone. We’ll talk later in this report about the individual risks and protections that are available to assist in these important areas.

Next, we focus on places—specifically, those on the Internet that are unsafe. Leveraging our database of more than 23 billion URLs and IP addresses, we’ll look at which countries are prone to the highest proportion of malware and botnet infections, and how the landscape has changed over the last 14 months.

As with every IBM X-Force Threat Intelligence Quarterly, people are at the heart. As security practitioners, we hope the insights into securing things and places can be helpful for protecting your own network. We’ll be back in 2015 with a year-end review of the security trends from 2014, and what to expect in the year to come.

IBM Security Systems 3

From connected cars to programmable pacemakers, how can you keep sensitive data safe and secure in a world of ubiquitous connectivity?

Securing the new world of the Internet of Things

Y our next mobile device might be truly mobile—with wheels and a dashboard. And if you have a modern pacemaker or insulin pump, you’ll not only be the

occupant of an Internet-connected device, you’ll be host to one as well. The latest trend is to connect anything with computing power to the Internet, including vehicles, implantable medical devices, and smart utility meters. Even objects that traditionally haven’t been computerized, such as household appliances,2 toothbrushes3 and drinking cups,4 are being instrumented and connected.

This wave of instrumentation and connectivity has been dubbed the Internet of Things (IoT). As with other broad categories of technology, such as cloud or mobile, the IoT can offer productivity and quality-of-life improvements, but it can also drag in its wake a host of unknown security threats.

For the last few years, this ubiquitous connectivity has been featured at security conferences such as Black Hat and DEF CON. In 2011, a security researcher figured out how to hack into his own insulin pump simply with knowledge of its serial number.5 More recently, two researchers have presented their findings on connected vehicle security, including a demonstration aired on a US morning talk show on how to take control of two brands of cars.6

As with most monikers for emerging technological concepts, the term “Internet of Things” is considerably ambiguous. So what comprises the IoT? Most of us think of capabilities like home automation, such as Google Nest, a network of connected thermostats and smoke detectors. Connected cars also fall squarely into the IoT. But what about the smartphones and tablets that provide access to these “things”? Are these devices “things” too?

How about traditional computing devices, such as mainframes, servers, workstations and laptops? Are they full-fledged “things” or just legacy computers? They’re not that new and it doesn’t seem right to anoint them with a cutting-edge label like IoT. Then there are industrial control and Supervisory Control and Data Acquisition (SCADA) systems. Some are so old—many are embedded beneath concrete in plant floors, buried there as long ago as the 1950s—that they don’t have inherent IP connectivity, but are connected to the Internet through IP gateways.

Clearly, IoT is a blanket term that’s practically meaningless to security professionals: the devices that comprise the broad IoT perform different functions, expose wildly varying threat surfaces, and require security strategies that are specific to each category of device. At IBM, we’ve created a model of the IoT that’s useful for understanding the security threats at various data flow and control transition points. The model is generalized to accommodate all categories of “things,” but not all “things” will require all components of the model.

All “things” connect to a local network, then to a global network—usually the Internet. This is true for traditional computers and infrastructure devices. Mainframes, servers, desktops, laptops, routers and switches all connect to local networks (although service provider devices may be connected directly to the Internet), and all but highly classified government networks route to the Internet. Industrial control systems may be isolated.

4 IBM X-Force Threat Intelligence Quarterly 4Q 2014

Arguably, the defining characteristic of a “thing” is the ability to remotely view and control it, often from a smart mobile device. “Things” can also send telemetry to a central collection and analytics point. A cloud service often provides the

repository and access control between the “thing” and its controller.

Let’s dissect a few “things” and see how they fit the model.

Local network

Global network

Graphic 1. IBM model for the Internet of Things

IBM model for the Internet of Things

Controlling device

Cloud service

“Things” can be remotely controlled or viewed, and they can send telemetry for analysis.

Smartphones, tablets and other smart devices can control all types of “things.”

Cloud services provide the repository and access control between the “thing” and its controller.

Most “things” connect to the Internet, except for power grids or classified government systems.

This may be a controller area network (CAN) in connected cars, a local network in homes, etc.

{

{

{

{

{Things

Home automationThis category may include smart appliances, such as refrigerators that report their temperature and alert you when you’re out of broccoli, lighting

and sound systems, televisions, thermostats and smoke detectors, alarm systems, garage doors and even door locks. These “things” connect to a home’s local network, which is often wireless, and the local network typically connects to the Internet via a service provider, usually through fiber to the home or broadband cable. Security systems may also have a secondary connection using a mobile network.

Service providers or utilities may provide home automation services, for example, AT&T Digital Life services or Consumers Energy EnerLink.Net.7 Alternatively, enthusiastic hobbyists can build their own home automation solution and bypass the cloud layer, opting instead to connect to their home area network directly from a mobile device or traditional computer.

Connected vehiclesFor connected vehicles, the local network may be the controller area network (CAN), to which the electronic control units (ECUs) for your brakes,

engine, power windows and other components connect. The global network is your mobile carrier, while the cloud service is often the auto manufacturer’s network, to which your car identifies itself and you authenticate with an app on your mobile phone.

Connected cars have a number of capabilities. Beyond the ability to call for emergency assistance through a subscription-based diagnostics system, the car can report telemetry such as speed, location and engine temperature. You can monitor your vehicle with an app on your mobile device, start it remotely, adjust the cabin climate to the perfect setting for the weather and watch for it to reach the desired temperature. The manufacturer or service partner can analyze the telemetry from ECUs to predict failures and even schedule a service appointment if your smartphone calendar is synchronized with the vehicle.

Industrial control and SCADA systems Industrial control and SCADA systems vary wildly by industry, age and use. For example, a sugar cane processing plant may have older systems that

report the status of the machinery and accept control commands over a serial port. The system is controlled over a dial-up line by an operator console that may be segmented from the rest of the IT network, with no Internet connectivity or ability to control the SCADA system from outside the factory network. In contrast, newer industrial control systems are built on general-purpose operating systems, such as Windows and Linux, and are designed to be connected to an IP network.

Smart metersSmart meters are driving the convergence of operational technology (such as the industrial control and SCADA devices discussed previously)

and traditional IT networks, because the analyzed telemetry is provided to billing systems and is often available to customers through a web portal. Eventually, customers will have the option of choosing their source of energy—perhaps from a micro-grid composed of neighbors who have solar panels—by connecting to the energy provider’s cloud from their mobile phones.

Customers can also choose to run their dishwasher at 2 a.m., when the information on their energy dashboard informs them that the power rates are cheapest, employing both home automation and smart energy. Even better, you’ll be able to set filters that allow the dishwasher and the energy provider to negotiate when the dishes get washed based on instantaneous energy costs.

Implantable medical devices Modern implantable medical devices provide telemetry to physicians, allowing them to monitor the device’s performance and adjust it.

This connectivity is provided over radio frequency to specialized control devices and is limited in range. However, healthcare transformation is demanding that patients have access to their data over patient portals and that the entire ecosystem of healthcare providers and insurers have access to a unified view of patient care information. It’s not difficult to envision pacemakers reporting their status to doctors, and doctors tuning the devices over the Internet, possibly over in-flight wireless services, saving a patient’s life in the middle of an overseas airline flight.

IBM Security Systems 5

What “things” need In short, while the “things” may be different and require different security controls (do you really want to run anti-virus on your pacemaker?), our model helps to define the points of protection and the types of security controls that should be implemented at each. For example, “things” need:

• A secure operating system with trusted firmware guarantees. This includes the ability to perform over-the-network / over-the-air updates across untrusted connections.

• A unique identifier. While IPv6 is key to identifying “things” on networks, “things” also need a subscription to a trusted identity database. Since many “things” don’t directly interact

with users like traditional computers, the concept of traditional authentication doesn’t apply (and hard-coded administrative credentials11 are not an acceptable solution). Particularly when “things” interact in a machine-to-machine (M2M) environment such as an automobile CAN, each “thing” must be able to trust the others.

• Strong authentication and access control. When users access the data on “things” or control them—usually through a cloud service from the user’s mobile device—it’s crucial to ensure that the user is who he or she claims to be. You wouldn’t want a thief to be able to unlock and start your car with a simple username and password, especially considering the recent spate of credential compromises12 and the knowledge that most users choose simple passwords. In fact, research shows that “123456” and “password” are still the two most common passwords found on the Internet.13

• Data privacy protection. The data that flows to and from “things”—and that may be stored on “things” or their controlling devices—is often sensitive. Drivers may connect their mobile phones to the in-vehicle infotainment system, which has access to their contact information and, possibly, their email and text messages. With mobile payments starting to appear on new mobile phones, credit card information may be accessible to the vehicle. Credentials to access home automation and industrial control systems can also be exposed if not properly protected. Often, the solution to the issue of privacy is data and transmission encryption.

• Strong application security. Vulnerabilities arise due to software bugs. Hardware manufacturers are often not experts in software development, including web applications that may reside on the “thing,” or exist as a cloud portal and mobile apps. Within the software community, security vulnerabilities are legion and often catastrophic, as evidenced by the recent Heartbleed OpenSSL vulnerability14 and the even more recent Bash Shellshock vulnerability.15 Manufacturers of “things” are coming up with new product ideas every day and may rush their products to market without implementing a security development lifecycle or conducting thorough security and functional testing.

The IBM model for the IoT is still a work in progress since the IoT, as a whole, is still evolving. And therein lies the risk—and the opportunity.

6 IBM X-Force Threat Intelligence Quarterly 4Q 2014

The threats to “things” are already out there

Researchers modified the firmware in a car’s telematics unit, allowing them to access all the ECUs in the vehicle. They were then able to successfully disable brake functions while the

car’s wheels were spinning at 40 miles per hour. The exploit was conducted by inserting a specially crafted CD containing MP3s that, while playing normally, exploited a buffer overflow in the player’s software.8

A maker of a product designed to allow remote access of a building system, including HVAC and security controls, built in a back-door administrative account. The account provided

administrative access with no password, and was used to gain unauthorized access to at least one business, displaying “a floor plan layout of the office, with control fields and feedback for each office and shop area.” The system is used by more than 16,000 organizations and exposed to the Internet without an intervening firewall.9

Weak cryptographic practices not only left network-connected lighting vulnerable to compromise, but exposed passwords for the Wi-Fi network to which they’re connected.

Despite using the US National Institute of Standards and Technology (NIST) Advanced Encryption Standard (AES), the lighting devices talk to each other over a mesh network, using a pre-shared key that never changes.10

IBM Security Systems 7

This is the beginning of the “things” revolution, and, as with mobile devices, the makers and developers of “things” can help drive an imperative to build security in from the start—rather than loosely retrofitted in after the fact. However, unlike the mobile device market, which is isolated to a handful of hardware manufacturers and even fewer mobile operating systems, the IoT manufacturing market is much broader. Many manufacturers of IoT “things” are new and small, and therefore don’t have the funds or resources to add security to their design and development budget and schedules. In addition to resource scarcity, there are still a few residual challenges:

• The traditional software market hasn’t done a great job in creating secure code. The fact that SQL injection is still a huge problem is a sad indicator that we haven’t made enough progress toward training developers—and the industry as a whole—on secure coding and testing applications in development and in production.

• Hardware manufacturers, who are often building “things,” are not generally good at software development. And as mentioned, many software companies aren’t great at writing secure code either.

• Implementation and configuration of systems, software and “things” falls to the end user, and in enterprises, the IT department. Consumers don’t always think about security, and even when they do, the security settings on IoT devices may not be easy to find or understand. In addition, some apps require broad (and insecure) settings to function. While “things” often begin as consumer commodities, they can evolve into enterprise “things”—just as mobile technology did. Most IT departments, however, aren’t responsible for managing the physical security of these “things,” and this could signal a holistic shift in how all aspects of security are managed within the enterprise.

• Many “things” will eventually require IPv6 addresses, bringing a host of security threats. IPv6 is not well understood by many systems and network administrators, much less home users who may have to configure their cable modems for IPv6. To secure a technology, you first have to be an expert in how it works. An entire issue of the X-Force Threat Intelligence Quarterly could focus on IPv6 security, including the potential to use it for advanced distributed-denial-of-service (DDoS) attacks, tunneling through firewalls, and hiding from intrusion and anomaly detection technology. And those are just the threats we know about.

• “Things” rely on a wildly diverse set of protocols such as MQTT, XMPP, DDS, AMQP, Zigbee, and Z-Wave, as well as some industrial holdovers such as Modbus and DNP3, and new automotive entrants such as vehicle-to-vehicle (V2V) and infrastructure-to-vehicle (I2V) communications protocols. Each has its own set of security challenges.

To help address the security challenges within the IoT, IBM X-Force recommends that manufacturers:

• Follow the Open Web Application Security Project (OWASP) IoT Top 10 practices16

• Build a secure design and development practice• Perform regular penetration testing on products• Follow industry guidance, such as the IBM Automotive

Security Point of View17

Technologists can also help improve security by embracing the IoT, but with a critical eye. You can be an early adopter without being a victim. Buy that cool new device, but don’t blindly put it into production. Test products for security in a staging environment; then, work with vendors to help them understand any flaws and correct them. If vendors are unresponsive, follow responsible vulnerability disclosure guidelines, such as the ones posted by CERT18 or the X-Force team.19 Working together, we can all help ensure that the IoT evolves into a safer, more secure place.

8 IBM X-Force Threat Intelligence Quarterly 4Q 2014

I BM X-Force researchers continuously track sites that contain malware and store the information in our IP reputation database, which IBM clients use to help protect

their networks. These sites may have been erected for the express purpose of hosting malware, or they may be legitimate sites that have been compromised and poisoned. Our database also contains IP addresses that are known to be used by “anonymization” services, often used for sending out spam.

With the recent disclosures of pervasive vulnerabilities such as Heartbleed and Shellshock, X-Force wanted to establish a baseline of the sources of massively distributed malware. This section of the report looks at the countries where malicious links are most often hosted, based on our research, as well as the geographic distribution of botnet command-and-control (C&C) servers. We also compare the current situation with the data from 14 months ago.

Reputation counts: The sources of malware and botnetsFrom the vaults of our IP reputation database, learn which countries are the top offenders when it comes to malware and botnet infections.

Figure 1. The top 20 malware-hosting countries in August 2014

The top 20 malware-hosting countriesAugust 2014

45

40

35

30

25

20

15

10

5

0

Per

cent

age

of to

tal n

umbe

r of

m

alw

are-

cont

amin

ated

sys

tem

s

Nearly four times more than any other country

IBM Security Systems 9

When it comes to the top countries hosting malware, Figure 1 shows that:

• The United States dominates the scene by hosting nearly 43 percent of all malicious links.

• The country with the second highest concentration of malicious links is China, which hosts around 11 percent. (Interestingly, this is nearly double the amount of the previous year.)

• Germany fell from second to third, now hosting 8.3 percent (down from 9.8 percent 14 months ago).

• The next three countries, positions four through seven, did not change their positions from 2013. And they all host very

similar amounts of malicious links: the Russian Federation, the Netherlands, the United Kingdom and France host between 3.6 and 3.3 percent of the malware.

When looking at the geographic distribution of botnet C&C servers, the picture is similar. Figure 2 shows that:

• The United States hosts more C&C servers than any other country, with a quarter of the total number of contaminated systems. Fourteen months ago, however, the US hosted four percent more than it does now.

• The country with the second highest number of C&C servers is the Russian Federation with about 9 percent.

Figure 2. The top 20 countries with botnet C&C servers in June 2013, compared to August 2014Credit: Team Cymru

The top 20 countries with botnet C&C serversJune 2013 and August 2014

35

30

25

20

15

10

5

0

June 2013 August 2014

More than three times higher than other countries

Per

cent

age

of to

tal n

umbe

r of

C

&C

-con

tam

inat

ed s

yste

ms

10 IBM X-Force Threat Intelligence Quarterly 4Q 2014

• The Republic of Korea, China, Germany and the United Kingdom are close together, hosting between 7.2 and 6 percent of the C&C servers.

As we review Figures 1 and 2, it’s not surprising that the countries with the greater numbers of technology users and service providers figure higher in the rankings. Consequently,

we decided to normalize the figures based on the ratio of IP addresses as a percentage of total IP-addressable systems in the corresponding country.

Figure 3 shows that when the data is normalized, the US moves out of the top 20 countries for hosting malware—down to number 25. Hong Kong, Lithuania and Bulgaria now appear

Figure 3. Malware contamination as a percentage of the total number of systems in a country, August 2014

Malware contamination ratioAugust 2014

12

10

8

6

4

2

0Num

ber

of m

alw

are-

cont

amin

ated

sy

stem

s pe

r 1

mill

ion

Moved up from 29th in the raw data

IBM Security Systems 11

in the top three positions. And while Lithuania may not lead in the percentage of malware-contaminated systems, Figure 4 shows that it leads for C&C server contaminations.

When normalizing the data for C&C server contaminations, Figure 4 shows that the US moves out of the top 20 countries for C&C servers—down to number 28. This time, the Russian

Federation only moves from second to third. Lithuania comes in first by a large margin, and Belarus, Slovakia, Ukraine, Turkey, Thailand, Hong Kong, Hungary, the Czech Republic and Poland all appear above the average, which is just slightly less than two contaminated systems per one million.

Figure 4. C&C server contamination as a percentage of the total number of systems in a country, August 2014

C&C server contamination ratioAugust 2014

10

8

6

4

2

0

Num

ber

of C

&C

-con

tam

inat

ed

syst

ems

per

1 m

illio

n

Average

Signi�cantly higher than any other country

12 IBM X-Force Threat Intelligence Quarterly 4Q 2014

Figure 5. C&C server contamination in June 2013, compared to August 2014

C&C server contamination ratioJune 2013 and August 2014

10

8

6

4

2

0

June 2013 August 2014

Num

ber

of C

&C

-con

tam

inat

ed

syst

ems

per

1 m

illio

n

Only country with an increased ratio

(besides Indonesia)

Signi�cantly cut its contamination rate

When comparing the data from 2013 to that from 2014, almost all the countries have reduced their total number of C&C server contaminations except Lithuania, which is not only in the top spot for 2014, but stayed in that position by increasing its contaminated system ratio by about one per one

million systems. Slovakia stayed flat year over year, while Indonesia increased. Interestingly, Ukraine decreased its contamination ratio by the largest margin, by almost five systems per one million.

IBM Security Systems 13

Concluding observationsIt is interesting to see that Lithuania dominates the scene. This is similar to how Belarus leads the world in its spam bot infection ratio (for more information on spam bot infections, see the IBM X-Force Threat Intelligence Quarterly - 2Q 2014).

The military conflict in eastern Ukraine might be one reason why this country now hosts only 0.7 percent of all malware, while 14 months ago, 1.4 percent of all malicious links could be found on Ukrainian servers. Military conflicts tend to disrupt criminal pursuits. Furthermore, as nearly all countries have reduced their total number of C&C server contaminations, the botnet operators may be distributing the infections to a larger number of countries—in order to be safe from any local actions against these infections.

Finally, when looking at the malware-hosting and C&C server-contaminated countries, Eastern European countries appear to dominate both lists. It will be interesting to see whether this is permanent or whether this distribution changes as it does when looking at the top spam-sending countries (for more information on spam trends, see the IBM X-Force 2013 Mid-Year Trend and Risk Report).

14 IBM X-Force Threat Intelligence Quarterly 4Q 2014

T he IBM X-Force research and development team studies and monitors the latest threat trends including vulnerabilities, exploits, active attacks, viruses and other

malware, spam, phishing, and malicious web content. In addition to advising customers and the general public about emerging and critical threats, IBM X-Force also delivers security content to help protect IBM customers from these threats.

IBM Security collaborationIBM Security represents several brands that provide a broad spectrum of security competency:

• The IBM X-Force research and development team discovers, analyzes, monitors and records a broad range of computer security threats, vulnerabilities, and the latest trends and methods used by attackers. Other groups within IBM use this rich data to develop protection techniques for our customers.

• The IBM Security Trusteer®20 product family delivers a holistic endpoint cybercrime prevention platform that helps protect organizations against financial fraud and data breaches. Hundreds of organizations and tens of millions of end users rely on these products from IBM Security to protect their web applications, computers and mobile devices from online threats (such as advanced malware and phishing attacks).

• The IBM X-Force content security team independently scours and categorizes the web by crawling, independent discoveries, and through the feeds provided by IBM Managed Security Services.

• IBM Managed Security Services is responsible for monitoring exploits related to endpoints, servers (including web servers) and general network infrastructure. This team tracks exploits delivered over the web as well as via other vectors such as email and instant messaging.

• IBM Professional Security Services delivers enterprise-wide security assessment, design and deployment services to help build effective information security solutions.

• IBM QRadar® Security Intelligence Platform offers an integrated solution for security intelligence and event management (SIEM), log management, configuration management, vulnerability assessment and anomaly detection. It provides a unified dashboard and real-time insight into security and compliance risks across people, data, applications and infrastructure.

• IBM Security AppScan® enables organizations to assess the security of web and mobile applications, strengthen application security program management and achieve regulatory compliance by identifying vulnerabilities and generating reports with intelligent fix recommendations to ease remediation. IBM Hosted Application Security Management service is a cloud-based solution for dynamic testing of web applications using AppScan in both pre-production and production environments.

About X-ForceAdvanced threats are everywhere. Help minimize your risk with insights from the experts at IBM.

IBM Security Systems 15

Contributor Title

Chris Poulin Research Strategist, IBM X-Force

Doug Franklin Research Technologist, IBM X-Force Advanced Research

Dr. Jens Thamm Database Manager, IBM X-Force Content Security

Leslie Horacek Manager, IBM X-Force Threat Response

Marc Noske Database Administrator, IBM X-Force Content Security

Michael Hamelin Lead Security Architect, IBM X-Force

Pamela Cobb Worldwide Market Segment Manager, IBM X-Force and Threat Portfolio

Ralf Iffert Manager, IBM X-Force Content Security

Producing the IBM X-Force Threat Intelligence Quarterly is a dedicated collaboration across all of IBM. We would like to thank the following individuals for their attention and contribution to the publication of this report.

To learn more about IBM X-Force, please visit: ibm.com/security/xforce/

Contributors For more information

© Copyright IBM Corporation 2014

IBM Corporation Software Group Route 100 Somers, NY 10589

Produced in the United States of America November 2014

IBM, the IBM logo, ibm.com, AppScan, QRadar, and X-Force are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml

Trusteer is a trademark of Trusteer, an IBM Company.

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

Windows is a trademark of Microsoft Corporation in the United States, other countries, or both

This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.

THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.

The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation. Statements regarding IBM’s future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that systems and products are immune from the malicious or illegal conduct of any party.

1 IDC, “Worldwide and Regional Internet of Things 2014–2020 Forecast Update by Technology Split,” Doc # 252330, Publish date: November 2014. http://www.idc.com/getdoc.jsp?containerId=252330

2 Brandon Griggs, “Connected TVs, fridge help launch global cyberattack,” CNN, 17 January 2014. http://www.cnn.com/2014/01/17/tech/gaming-gadgets/attack-appliances-fridge

3 “CES 2014: Toothbrush ‘tells you how well you brush’,” BBC News, 6 January 2014. http://www.bbc.co.uk/news/technology-25621422

4 Ellis Hamburger, “Vessyl is the smart cup that knows exactly what you’re drinking,” The Verge, 12 June 2014. http://www.theverge.com/2014/6/12/ 5801106/vessyl-smart-cup-that-knows-exactly-what-youre-drinking

5 Dan Kaplan, “Black Hat: Insulin pumps can be hacked,” SC Magazine, 04 August 2011. http://www.scmagazine.com/black-hat-insulin-pumps-can-be-hacked/article/209106/

6 Steve Henn, “With Smarter Cars, The Doors Are Open To Hacking Dangers,” NPR, 30 July 2013. http://www.npr.org/blogs/alltechconsidered/2013/07/30/206800198/Smarter-Cars-Open-New-Doors-To-Smarter-Thieves

7 “Online Energy Monitoring,” Consumers Energy, Accessed 08 October 2014. http://www.consumersenergy.com/content.aspx?id=1696

8 Robert Vamosi, “Hard-coded Credentials Still Haunt Many Legacy IoT Products,” Forbes, 13 August 2014. http://www.forbes.com/sites/robertvamosi/2014/08/13/hard-coded-credentials-still-haunt-many-legacy-iot-products/

9 “Experimental Security Analysis of a Modern Automobile,” 2010 IEEE Symposium on Security and Privacy. http://www.autosec.org/pubs/cars-oakland2010.pdf

10 Dan Goodin, “Intruders hack industrial heating system using backdoor posted,” Ars Technica, 13 December 2012. http://arstechnica.com/security/2012/12/intruders-hack-industrial-control-system-using-backdoor-exploit/

11 Dan Goodin, “Crypto weakness in smart LED lightbulbs exposes Wi-Fi passwords,” Ars Technica, 7 July 2014. http://arstechnica.com/security/2014/07/crypto-weakness-in-smart-led-lightbulbs-exposes-wi-fi-passwords/

12 Danny Yadron, “Russian Hackers Steal 1.2 Billion Usernames and Passwords, Security Firm Says,” Wall Street Journal, 05 August 2014. http://blogs.wsj.com/digits/2014/08/05/security-firm-russian-hackers-amassed-1-2-billion-web-credentials/

13 “‘Password’ unseated by ‘123456’ on SplashData’s annual ‘Worst Passwords’ list,” SplashData, Accessed 21 October 2014. http://splashdata.com/press/worstpasswords2013.htm

14 John Lucassen, “Are Vendors Doing What Is Needed to Mitigate Security Vulnerabilities?” IBM Security Intelligence Blog, 30 June 2014. http://xforce.iss.net/xforce/xfdb/92322

15 Seth Hanford, “Common Vulnerability Scoring System, V3 Development Update,” FIRST, June 2014. http://xforce.iss.net/xforce/xfdb/96153

16 OWASP Internet of Things Top 10 Project. https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_Ten_Project

17 IBM Institute of Business Value, “Transforming the automotive industry: A globally integrated enterprise point of view,” 05 September 2014. http://public.dhe.ibm.com/common/ssi/ecm/en/gbe03619usen/GBE03619USEN.PDF

18 “Vulnerability Disclosure Policy,” CERT. Accessed 08 October 2014. http://www.cert.org/vulnerability-analysis/vul-disclosure.cfm

19 IBM, “IBM Internet Security Systems X-Force Research and Development Team Vulnerability Guidelines,” December 2008. http://www-935.ibm.com/services/us/iss/xforce/vulnerability-guidelines.pdf

20 Trusteer, Ltd. was acquired by IBM in September of 2013.

WGL03062-USEN-00Please Recycle