BreachExchange mailing list archives
Cyber threats loom anew on the Internet of Things
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 2 Sep 2015 17:41:37 -0600
http://www.compasscayman.com/journal/2015/09/02/Cyber-threats-loom-anew-on-the-Internet-of-Things/ Looming darkness is an apt metaphors for contemplating the twilight world of cyber crime and the ongoing contest with hackers, identity thieves, credit-card hijackers and the legions trolling for personal information. The threats from cyber intruders are persistent, stubborn and reconstituted almost daily. James Pearse, solutions architect at Cayman’s Ignition Group of Technology Companies, describes five main threats that have emerged in the past year. Chief among them may be ransomware, in which a hacker simply moves into your PC, like a demonic possession, then offers to sell it all back to you at a hefty cost, leaving the victim permanently “spooked” and without security guarantees. “There is a huge proliferation of this on the cloud,” says Pearse. “They can take all your data and then use your machine to attack others. Yes, there can be a profit [motive] to this, but really it’s mostly malicious.” Most intriguing, however, is the Internet of Things, which is growing exponentially as designers build interactivity and data storage into hundreds of common products. Estimates range from 26 billion to 50 billion devices that will be connected to the Internet by 2020. Home thermostats, heating and air-conditioning; refrigerators that track inventory; the family car using on-board computers to regulate speed, operate rear-view cameras and “blind-spot” alarms, to parallel park and even to tint windows; smart meters to manage electricity consumption; Bluetooth devices, and myriad uses in manufacturing, environmental sensing, urban planning and health monitoring “are all Internet-connected, and all created without any security whatever in mind,” Pearse says. “People can just break into them, and this is just going to grow because people want to be connected.” Driverless theft, he warns, is not far distant: “I could hack into your car and start it without being anywhere near it,” he says. More familiar is simply cyber theft, Pearse says, inspired by new ways of making payments. “It’s huge in the U.S. and U.K. You just hold up your card and a device reads it. But it’s without any signatures. Anyone can use it to call up your financial information, all sorts of details.” Similarly, he points to near field communications, when two devices “talk” in the sense that, placed adjacently, they instantly transfer information, possibly “all of it, all my personal information,” as the capacity of such technology as smarphones continues to grow. “You want to set up a business, so you invest a lot of money in a till system and clip-on card readers. You just take one of them, plug it in, write a code and skim all the details” of every card that has been swiped though the device. Fourth, Pearse names the relatively straightforward “insecure passwords,” in which users use the same word for every service. A single hack gives intruders access to everything. Two-factor authentication is one answer, Pearse says, requiring two passwords derived from a list of six-digit codes that change randomly every 30 seconds. “Lots of companies don’t use this, though, leaving them wide open,” he says, pointing to last year’s hack of Target stores. The company outsourced its security to a third party, which used a single password for everything, he says. Finally, something as simple as “careless or uninformed employees” is as great a threat as anything else. “I copy company information to my PC from my company phone so I can work at home, but then I lose my phone and someone hacks it. Someone at a legal firm uses a drop box to take information home and loses the company’s device. Bring Your Own Device is used to combat this, with all the information encrypted on your own laptop, for example,” Pearse says. The problems can be solved, although he does not dispute that anything that can be done electronically can, by and large, be undone electronically, although algorithms that embed electronic keys can offer nearly unbreakable ciphers. Mobile device management is one idea, two-factor authentication is another, and then there’s the “kill pill” by which a company can send a program wiping everything from a remote personal device. Meanwhile, Microsoft has discontinued support for Windows XP – as of April 8, 2014 – and Server 2003 – as of July 14 this year – refusing more security “patches,” motivating users to move to newer, more secure programs. “A lot of individuals and businesses, however, are still using XP and 2003, leaving themselves open to attack,” Pearse says. He points to innovative new companies like London’s Darktrace, formed in 2013 by former MI6, FBI and CIA operatives, who have developed algorithms to track even the slightest irregularity in a company’s computer network. Richard Branson’s Virgin Trains calls it a game changer. “They create a ‘honey pot,‘” says Pearse, describing Darktrace, “and if anyone gets into the system, they go straight into the honey pot and you can find them. These algorithms hunt for even the most subtle changes in the network – data being copied, information being transferred, emails that have not been previously accessed – it flags all the changes. “There is so much information on the Web, and people are naive,” Pearse says. “They just don’t understand the magnitude of online banking, of Facebook, the cloud” – and pretty much every time anyone logs on to the Internet.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Cyber threats loom anew on the Internet of Things Audrey McNeil (Sep 04)