Fujitsu CTO sees the lighter side of Internet of Things security concerns

MUNICH: Afraid of the dark? Perhaps you should be afraid of the lights. That's the twisted future envisioned by light bulb-wielding Fujitsu chief technology officer Joseph Reger.
Patrolling the floors of the Fujitsu Forum in Germany, Dr Reger explained to onlookers how one of the most innocuous objects in your house could become part of a global attack.
The Internet of Things, perhaps one of the most highly-talked about technologies nobody in the real world actually uses, is expected to take hold within the next decade, and with it will inevitably come cyber threats, as with any new technology. Reger chose to use intelligent light bulbs as an example:
"I'm not concerned about someone hacking into your home and turning off your lights," he said. We at V3 are very concerned about that, for the record. "What I'm talking about is that someone hacking into your home and looking at the usage pattern of your light bulbs and determining whether you're on vacation. And when it might be a good time to break in."
Such concerns have been voiced before with Philips' Hue lightbulb singled out as a cause for concern by security researchers. Reger went further, though, to envision a world of slave lightbulbs run by some sort of domestic super villain.
"If this light bulb is a little bit more intelligent, if they're intelligent enough, you can inject malicious code into the bulb itself if it's not protected properly. What's the problem with that? All of a sudden I have an army of attackers I've just programmed and I can launch a denial of service attack on anybody using billions of soldiers."
We've heard this described before in the form of toaster armies mining the currency Bitcoin - and perhaps the metaphors are getting out of hand - we're sure Reger knows this, and we have to say we enjoyed his demonstration.
The real point here is that we haven't moved on from this novelty, this funny notion of light bulbs stealing your lunch money and laughing at you. In the world of business and industry, machine-to-machine communication is commonplace. That's not to say it isn't serious either - a recent UK government report highlighted the notion of a need for a ramping up of security among connected machines.
So, who to believe? It's very difficult to know exactly how much of a threat these things are, especially because the amount of people with intelligent light bulbs in there home is so low crooks probably couldn't even DDoS your mum's laptop.
Until there's more of this stuff out there, we can't know for sure what possibilities - positive or negative - IoT can offer.

Microsoft offers bug hunters $100,000 for early attack alerts

Microsoft has extended the payment criteria of its bug bounty programme to include early alerts about active cyber attacks on its services.
Senior security strategist at the Microsoft Security Response Center, Katie Moussouris, announced the extension in a blog post, confirming early attack spotters could be eligible for a payment of up to $100,000.
"We are expanding the pool of talent who can participate and submit novel mitigation bypass techniques and defensive ideas to include responders and forensic experts who find active attacks in the wild. That means more people can 'sing along' to earn big bounty payouts than ever before," read the post.
"[This] means we are going from accepting entries from only a handful of individuals capable of inventing new mitigation bypass techniques on their own, to potentially thousands of individuals or organizations who find attacks in the wild. Now, both finders and discoverers can turn in new techniques for $100,000."
Microsoft's bug bounty programme was originally announced in June but had far stricter payment criteria and would only reward the author of an exploit. This meant it was all but impossible for bug hunters to earn money for their spot if it was already being exploited by the blackhat community.
Moussouris said the new payment system will help Microsoft radically improve its defences, offering an added incentive for the whitehat community to report any attacks they spot.
"We want to learn about these rare new exploitation techniques as early as possible, ideally before they are used, but we'll pay for them even if they are currently being used in targeted attacks if the attack technique is new - because we want them dead or alive," read the post.
The news has been welcomed by the security community. Technical evangelist at WhiteHat Security, Robert Hansen, mirrored Moussouris' sentiment, arguing the move will make it far more difficult for blackhat hackers to target Microsoft products undetected.
"I think it will make a lot of waves amongst the community who has, thus far, paid exclusively on attributable vulnerabilities. It could even somewhat disrupt some of the blackhat markets, by encouraging blackhats to buy or find each other's vulnerabilities and sell them to Microsoft to reduce the competition. I just hope Microsoft is prepared for the onslaught of vulnerability reports they'll be receiving," he said.
Microsoft is one of many companies to use bug bounty programmes to help improve its products security. In October Google extended its Vulnerability Reward Program to pay bug hunters and security professionals up to $3,133 for security improvements to a number of open source projects.