cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

The Other IoT: The Internet of Trolls and Their Tolls

Level 13

One of the hottest topics in IT today is IoT, which usually stands for the Internet of Things. Here, however, I’d like to assign it another meaning: the internet of trolls and their tolls.

What do the internet of trolls and their tolls have to do with the data center and IT in particular? A lot, since we IT professionals have to deal with the mess created by end-users falling for the click-bait material at its heart. Without a doubt, the IT tolls from these internet trolls can cause real IT headaches. Think security breaches and ransomware, as well as the additional strain on people, processes, and technological resources.

One example of the internet of trolls and their tolls is the rise of fake online news. It’s an issue that places the onus on the end-user to discern between fact and reality, and often plays on an end-user’s emotions to trigger an action, such as clicking on a link. Again, what does this have to do with us? Social media channels like Facebook and Twitter are prominent sources of traffic on most organizations’ infrastructure services, whether it be the routers and switches, or the end-user devices that utilize those network connections and bandwidth, plus compute resources.

Fake news, on its own, may provide water cooler conversation starters, but throw in spearfishing and ransomware schemes, and it can have fatal consequences in the data center. Compromised data, data or intellectual property held for ransom, and disruption to IT services are all common examples of what can be done with just a single click on a fake news link by IT’s weakest link – our end-users.

Both forms of IoT have their basis in getting data from systems. The biggest challenges revolve around the integrity of the data and the validity of the data analysis. Data can be framed to tell any story. The question is: Are you being framed by faulty data and/or analysis when dealing with the other IoT?

Let me know what you think in the comment section below.

50 Comments
Level 15

kong.yang​ good read. 

I feel the worst part of it all is the fact we spend countless hours preparing, training user, installing security patches, malware defense, antivirus programs, etc, etc, etc.  And for all of us its seem there are 10X the number of scumbags out there trying to run us over.   Take ransomeware for example.   Obviously backups are essential but now, leveraging storage, cloud and al the cool buzz word technology we have today, just to ensure sally does lose a picture of her cat eating yarn, is frustrating.   Everyone in the organization has to be responsible to a degree.

I spend countless hours creating user friendly emails with warnings of the latest scams and threats.   Monitoring everything i can, but I am still just an army of one at the end of the day.   Although my title says Director of IT, I have a small IT department and all my other resources are dealing with SAP and our process control systems. So IT by default comes back to me.  I know lately there has been a slight slowing of attacks in certain areas but over all, the fight is raging on and the slow down is only a precursor to the next more violent wave of attacks which threaten out very data we are sworn to protect.  Nothing in any company os more valuable than data, and that is why they attack.

MVP
MVP

The fake news based on limited facts at best with a huge spin for personal opinion is so rampant these days....

Like anything else in IT, you have to validate your data, programming 101.  If it doesn't fit the expected input, reject it and log it.

garbage in - garbage out

Level 13

don't have any devices yet...I was going to be a late adopter, then all the security issues and device hacks happened...

Unfortunately, mainstream news has so much opinion and commentary that it is almost fake news, BUT YOU WON"T BELIEVE WHAT SHE DID NEXT!!!  <<CLICK HERE>>

Seriously, I have always joked that Facebook needs a

Our business has started doing regular tests of click bait and might I say they are well written.  Those who fall for the different attempts are sent to training on specifically what they fell for and then phishing in general.

Trust, privacy, and anonymity are going through adolescence on the Internet. Hopefully they make out the other side of this life change as well balanced adults, but today they are moody and unpredictable. Today it is hard to know who to trust, how to keep what's important private, and the trolls know just where to apply pressure. For fun or profit, they certainly take advantage of too many of us.

We as IT people aren't immune, but we do often stand a better chance then many of our friends and family. Personally, I want to help them but the best I can do is to encourage them to be critical (not cynical) of what they see and hear. Trust no one thing, if you can gather more information. That email from you bank say you need to do something? Call them or log into your account without interacting. Pop up say that your computer is infected? Does the installed AV client agree? Maybe if you are unsure turn it off and call me.

I don't know where this goes next, but it we don't reinvent how we build trust across anonymous systems privacy and security will suffer, and so will we. Is the weakest link people or technology? I don't think it matters anymore, both are needed improve.

Love the regular tests, we have subscribed management to click-baity fake emails that lead them to training when they fail to recognize the danger, and performance/training stats that get tracked. It really did help. We have been spearfished, and did really well against it. Our CEO legitimately sent an email that looked suspicious, and we had to post on the Intranet that it wasn't dangerous to limit helpdesk calls. That's not to say that people don't make mistakes, but the effort to help them is worth it.

I've been doing some pentest/exploit training lately, and these experiences emphasized the point that the human element is always the most fragile piece of any security posture/solution/program. Besides the glaringly obvious social engineering aspects, almost every vulnerability exploit I tested out and worked on was due to a human. Tomcat's inherently insecure, sure.....if the admin user/pass isn't changed. Every Windows vulnerability I exploited was because of a lack of patching or user-initiated compromise via clickjacking, phishing, etc. Granted, there are certain inherent vulnerabilities in some OS and platforms based on attack surface, but all the really nasty stuff always involves an inadvertent human actor as the victim. Can we get a properly-encoded malicious payload past AV? Of course we can - if we can just get that person to click. We'll always be the weak link.

Perhaps not germane to trolldom specifically, but to me this is the core of the problem. Software can always be written to break other software, I get that. It's the personal piece that one cannot predict.

Level 13

Trust, when it comes to the internet, is seriously tanking. So much money is spent on security and securing information, I kind of wonder if it isn't those companies sending out the trolls...

What?  You'd trust something just because it shows up on the Internet and happens to either coincide with your personal beliefs, or it offends you?  And you want to react to it without pause or consideration? 

Be like Skeptical Cat.

pastedImage_0.png

Level 13

hmmm...looks more like Joey Tribianni cat " how YOU doin'?"

Click-baiter!

Level 13

i almost clicked!!!

You should... see where it takes you. 😉

Level 13

nope...not gonna do it...

It'll bring tears to your eyes! 😉

Level 13

ok ok, i clicked....i clicked...

now i feel yucky

or like an end user.

We'd already given it another name, the Internet of Threats.

Two months ago I was at a dinner where a very educated and well read person.  They tried to tell me two "news stories" were fact.  That this information was a big cover up by major media sources.

The information fit their own personal perspective so I tried twice to have them look it up from different sources but they weren't having it.

Looks like I cant get away from Click-Bait, not even at dinner.

RT

Remember that study about how using real names actually increases trolling?Study: Trolls Are Even Worse When Using Real Names | Techdirt  for reference. Link probably of interest to wabbott Remember what facebook requires by default? Yeah..........about that. Facebook is not designed as anything more than a timewaste. To expect dialogue to be meaningful or trolling to not happen is delusional because the platform *isn't* designed for meaningful dialogue.  Now, think of what standard mainstream media uses? Vs websites like fark, that are moderate and make fun of *anyone* on any side of the political spectrum and covered issues mainstream has been avoiding.

I credit this as one reason to add to the pile for why thwack has better/meaningful dialogue, and why I don't desire to have my entire real name be my username (nor is it smart for reasons of identify theft/social engineering).

I love pfishing training because it's hilarious how many people it catches, but the time period of people retaining the training is not perpetual. Literally the same people will fall for it every year training or not. Security's greatest weakness in a secure org is the same as always: the people.

Are you using one of those pfishing test services?

IoT, the S stands for security.

Level 11

well we can talk a lot about IOT and stuff but in reality for now it is more to see how its implemented (areas where its implemented) rather than security or actual reality of the data.

Especially in India its more of a discussion and a forum to debate and discuss.. In simple a HOT topic.

Yes, it was https://phishme.com/

Level 13

a very restrictive firewall in front of them should do the trick...

Level 20

We hate the trolls on the internet under the bridge!

MVP
MVP

Totally agree ..............

MVP
MVP

Sometimes we do forget the basics (of checking things thoroughly) before we proceed with them  & that's when we get into trouble ..............

Level 10

We see a spike in IoT issues on our own intranet unfortunately.  Any time a mass email is sent out asking for some kind of action by end users, we get FLOODED with users forwarding the email to us asking if it's legit or spam.  Those emails were sent from our domain yet EUs who are easily scared or confused hammer on us for about a week with questions of the emails validity.

During Prince's funeral we had a huge spike in traffic and bandwidth became an issue due to users streaming the funeral.  Same thing for the Royal wedding.

Level 13

agree...most people just think "hey cool tech - I want that".  They install it, and help cause a massive ddos attack because of no security knowledge.

Level 15

Interesting article, thanks for sharing!

Level 13

I so agree......  should I click or should I NOT click.  That is the question!!!!!!!!!

You shouldn't.

MVP
MVP

Level 13

there should be a security setting on mice to prevent clicks...

NO TOUCHING!

Level 9

Must... click... link...

Level 9

This article makes me glad we don't use real names in World of Warcraft. Can you imagine how bad trade chat and battleground chat would be if the trolls were any worse!?

Are you telling me that guy's name wasn't really Leeroy Jenkins?

Level 13

has any one heard of the pending lawsuit against IoT manufacturers? It'd be nice if we could force them to actually think about security when they design and manufacture technology pieces.

I think there are several. The pending class-action suit against Toyota and GM made the news not too long ago.

It seems like there's this division during the development/prototyping piece of IoT efforts - lots of engineers, lots of software devs, (one would hope) lots of network/security people - but they don't seem to end up on the same page.

It's weird - IETF has had standards in place around IoT design for close to a decade, and in the newsmaking cases, we certainly don't see any real adherence to a set of security standards/controls.

Level 13

No, your correct...nor does it seem to be a deterrent for insecure programming...

Level 11

HAHAH....sad to say I have that achievement

Level 11

This is an interesting conversation / article...

Our Info Sec team randomly sends around fake emails with news links and such, from what I understand they get a lot of users clicking the links.  I think the drill is valid to a point...maybe they should follow up these tests with training for the users that feel the need to click on everything...instead of hiding the results in some spreadsheet.

MVP
MVP

Our anti-phishing testing tool does the email thing about once a month/quarter. 

So many people get fooled...then there is the clickbait.

Level 13

now why would you post that...now tinmann0715​ will never leave us alone!

Level 13

"click, click, click, click, click"

Level 21

This provides a great case for how important it is to educate your users... and of course to make sure they have updated Anti-Virus software on their systems.

Level 14

All goes back to having the right policies and processes in place.  That and monitoring

About the Author
Mo Bacon Mo Shakin' Mo Money Makin'! vHead Geek. Inventor. So Say SMEs. vExpert. Cisco Champion. Child please. The separation is in the preparation.